Security training is a necessity, but its almost always done incorrectly. As much as it shocks us there are still hordes of workers who have no idea what spearphishing is or why anti-virus doesn't wholly protect their computer.... My belief is that once a year and at start date of the employee you have an online brief going over basic security/what to look for, reinforce the fact that the network and individual systems are monitored and let them know what the penalties can be for not practicing what they are learning. You make it so you have to click a question every 2 or so slides so they cant just click through and then the kicker is if they dont pass they dont get to take the test again. Everyone who fails has to go to an in-person briefing with security and corporate leadership.... Guarantee more attention is paid to the content when the possibility of looking like a dummy in front of the bosses is there (and yes I know the bosses will probably fail too...)
And of course everyone should agree better security implementation within systems, networks, apps, processes and etc... should be accomplished. Thats a no brainer. But by no means should we just disregard trying to ensure the user base who has never heard of half the shit talked about on Slashdot have some kind of basic knowledge of what can go wrong when they open up furry_kittens.flv on their work machine...
I'm not saying that any of these were used (or a newer version of the technology) at the protest but remotely controlled mini-insect UAVs have been around since the 70's. If you go to the CIA's website and take the virtual museum tour (https://www.cia.gov/about-cia/cia-museum/cia-museum-tour/index.html) you can actually look at the Dragonfly Insecothopter that has been declassified. From the CIA text:
"Developed by CIA's Office of Research and Development in the 1970's, this micro-UAV was the first flight of an insect-sized vehicle (insectothopter). It was intended to prove the concept of such miniaturized platforms for intelligence collection. Insectothopter had a miniature engine to move the wings up and down. A small amount of gas was used to drive the engine, and the excess was vented out the rear for extra thrust. The flight tests were impressive. However, control in any kind of crosswind proved too difficult."
Once again Im not saying these were used to spy on protesters, but I know people are going to be like "there is no such thing like this out there...." So I figured I would add in some info to show that this type of tech did exist.
The outsource of their security services or is that owned by the Unisys team?
Serious note: Big kudos to IBM on dropping this. IMO it shouldn't have been attempted to been patented in the first place, but at least for whatever reason it was dropped overall.
I think you should take a look at the search capabilities provided by something called FAST ESP. They are based out of Norway but used all over the US govt and tons of commercial entities (like LexisNexis). The website for them is www.fast-search.com and from people I talk to it is supposedly pretty robust and can do intelligent searches, data tagging, authorization against data and stores, geo-tagging, yada yada yada and etc...
We all know that the Storm botnet is a big ol' spambotnet but what about Nugache? Thats the one I'm more concerned as it is fairly huge and just sits there in the dark waiting!!! Has anyone identified WTH that one is prepping for yet or are we still all in wait mode...
According to other reporting this is not actually the first virus. The first virus really should be the Creeper virus that infected DARPANET systems back in the early 70's. According to Viruslist, the virus was written for the Tenex operating system and was capable of independently gaining access through a modem and copying itself to a remote system. Once infected, the system would display the following message: "I'M THE CREEPER: CATCH ME IF YOU CAN."
The Reaper was written to replicate and find Creeper and delete it. Then came Rabbit in 1974 which caused systems to crash because it screwed system performance due to replicating so fast (wonder why it was called Rabbit.....)
I honestly am divided on this. If the situation warranted it (i.e. Emergency situation that required immediate information to save lives) then I could understand this. But if this was just routine intelligence gathering I have to say I am disappointed at these agents. As someone said a few comments down this kind of abuse can lead to a serious mistrust of the organization and eventually continued abuses will lead to a level of oversight that will hurt the agents that follow the rules. Intel oversight is a good thing and I hope the fact that these agents are being punished restores some faith in IO.
The KASPAR Funding Bill is passed. The system goes on-line August 4th, 2007. Human decisions are removed from autistic teaching. KASPAR begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug.
One of the best first posts to an article ever. I 100% agree that this is really not all that interesting other than the media can sensationalize it because Los Alamos has been in the news previously... All it comes down to is an unclass laptop (and btw they will say that the laptop contained "sensitive" info in almost any case where a govt. system is stolen) and someone who typed up an email and didn't realize that something he type was classified... Or it could have even been he marked the email as class by accident and it really wasn't (have seen those 'intercepted' before as well lol).
Now for the laptop issue I vote for disc encryption to stave off loss of sensitive data. For the email issue use a system that checks content and stops info from leaving the network fully if deemed sensitive (Fidelis demo'd a product for us that does content based checks of emails, docs, IMs and etc leaving the network and kills the connection as soon as it thinks something sensitive is being sent out and generates an alert to security... Now this is more a guard against the accidental sending and not necessarily against a malicious user who can uber encrypt something with ROT-13... but its a decent solution that I would recommend to them as they are being slammed in the public right now...)
That this occurred just around the time that that FF4 Rise of the Silver Surfer was released???? Or maybe it disappeared because Chuck Norris was thirsty.
In another news story a reporter asked Chuck Norris what he thought of the lake disappearing. His response was "I was thirsty."
Ok so here is the deal. DHS' network is a mesh of multiple other networks that were already in existence. This is problematic in itself as it involves a heavy amount of integration and also borders upon borders of perimeter security (each disparate agency is part of the whole but may have its own controlled interfaces for some level of separation...
Now lets go to the article. To the laymen you say 800 compromises and they go into "WOW THAT IS SO BAD" mode, but seriously come on. The compromises are mostly workstations. Now that doesn't mean they get a free pass, but its not like they have had their core servers owned by foreign states... What they should be doing is not only scanning apps, DBs, and servers and patching/hardening them appropriately, but also client-side firewalling, config control of workstations, baseline security mechanisms for remote users, centralized virus/vulnerability patching... This article does not surprise me what-so-ever and it really is not an indication that DHS security is horrible. Its not the best, but 800 is not that bad.
So how long til we find out that there has been exploitation of this vulnerability for X number of months for the sole purpose of stealing our WoW accounts!!!
Why steal someone's real identity when you can steal their uber virtual Undead Priest identity and sell it for 16 bucks.
I say just build an unbelievably simple AIS that has zero functionality. Thats right: no user interfaces, no applications, no storage of information, not even a keyboard. Then we wouldn't have to worry about all that nasty malicious code, and keystroke loggers and... Oh crap someone just walked in and stole my do-nothing non-functional system. Guess I still need physical security.
I have the utmost respect for Bruce, but that statement is fairly ridiculous. Its like saying if we built automobiles that could never crash then we wouldn't need road rules. Basically you can sub anything into that statement. If we made food that wasn't unhealthy we would need Jared and annoying Subway commercials...
Anyone else catch that the person posting the article is also one of the Program Chairs for the event. Guess if you want free advertising/. is the way to go! Can't wait to see when Ron J. posts the article for P0rncon here!
There was an older DoJ study done showing some statistics speaking to use of guns for self defense purposes. The problem with these studies as noted by the individual doing them is that a large amount of people wont admit to using a gun for self defense because they werent supposed to be carrying the gun where the crime took place. But the stats are still pretty interesting, but old. I haven't been able to find any govt. sponsored current studies unfortunately, but I would not be surprised if similar results were found:
Self-defense with firearms 38 percent of the victims defending themselves with a firearm attacked the offender and the others threatened the offender with the weapon. A fifth of the victims defending themselves with a firearm suffered an injury compared to almost half of those who defended themselves with weapons other than a firearm or who had no weapon. Care should be used in interpreting these data because many aspects of crimes including victim and offender characteristics, crime circumstances and offender intent contribute to the victims injury outcomes. About three-fourths of the victims who used firearms for self defense did so during a crime of violence
Japan has very strict gun-laws, but does that stop Japanese gangs in the major and smaller cities from using guns? Also an interesting side note is that while gun related deaths in Japan are notably less than the US its suicide rate is double that of the US...
Fact is that crime in general (not just gun crime) is pretty rampant throughout America and I for one would feel a lot less secure if you took away the ability for me to protect my home if someone were to break in or carry a weapon if I had all the pre-requisite training to do so. (I am 100% for mandatory training for people who want to carry a weapon and I also don't believe fully automatic weapons are a necessity for the general populace.) But I do believe handguns, rifles, shotguns and the like are not overboard.
All that being said this is pretty much sidebar back and forth to what is a very unfortunate event that was caused by a very, very sick individual.
Opposite to you Switzerland is a country full of guns and avid gun users and also has very little gun crime. What it comes down to is that we already have an adequate amount of gun laws. What you don't want to do is take away guns from the people who use them in a legal fashion each and every day for home protection, sport and etc... In the US it is EXTREMELY easy to get illegal guns and criminals do this each and everyday. In fact many times those carrying guns legally are often instrumental in stopping crimes from occuring.
The fact is that we have a fairly sizable and fairly unstable nation and 1 out of every XX normal people can basically go stark crazy. Its unfortunate, but it happens. Not much has been released yet other than this was a student (according to a Vir. Rep Forbes) and that the student was male and turned the gun on himself. I have a feeling its going to be another very disturbed white male (maybe even an ROTC student) and this will quickly get turned into a media fiesta attacking everything from video games to music to guns themselves and that is unfortunate.
Blocking Wikipedia because its not a credible source.... Hmmm maybe we should block some of our own US textbooks that aren't very credible either. You know the ones that casually gloss over the genocide of the American Indian, downplay the role of the Russians in WWII. On a large part Wikipedia can be extremely helpful and very accurate. There are times facts are off, but how many times in school did we have to be told to disregard pages of text because the author was incorrect or the information was out of date...
And to be very frank High School teachers are not necessarily very smart (even in the subject(s) they teach! If I had a test of 100 random science, history, literature and other questions and had to choose the option of having a couple of teachers to assist me take it or access to Wikipedia I probably would choose access to Wikipedia. And yes I know this sparks the whole "teachers know how to teach information and that is what is important..." but to be honest I have seen studies state that learning through online mechanisms with the benefit of interactive visual aids provides much better absorption rate than sitting in a room listening to someone drone on about something they probably don't know much about in the first place.
So ban Wikipedia and MySpace and all the other dangerous things that you think are "non-credible" or a waste of taxpayer's money (which is laughable because I could point to a few tenured teachers at my old HS that moreso fit that bill..." and later on we can look at this as the new form of book burning except now we just use blocks and filters...
Ok so 2 of the 3 bugs result in a DoS type situation and the third could allow for execution of arbitrary code... Using a Fuzzer dont you typically find DoS/Reboot/Crashes first and then more research to include debugging can show where in memory the crash occurs and then you move into the world of tailoring an overflow and allowing for execution of arbitrary code...
To me DoS'ing a client-side app like Word is an annoyance, but I would expect to see exploit code coming that does do code execution or privilege escalation of some sort and then MS will patch it on Tuesday just like they've been doing for years...
Jenni Engebretsen has proposed that DNC shall now stand for DO NOT COPY... She also will be instituting a new convention which will be named the Democratic Reform Meeting (DRM) which will be held monthly at a Regional Information Assembly Area (RIAA). She will also be engaging in a heavy handed campaign to support Military Personnel Aid and Assistance (MPAA).
Slashdot Mirror
Security training is a necessity, but its almost always done incorrectly. As much as it shocks us there are still hordes of workers who have no idea what spearphishing is or why anti-virus doesn't wholly protect their computer.... My belief is that once a year and at start date of the employee you have an online brief going over basic security/what to look for, reinforce the fact that the network and individual systems are monitored and let them know what the penalties can be for not practicing what they are learning. You make it so you have to click a question every 2 or so slides so they cant just click through and then the kicker is if they dont pass they dont get to take the test again. Everyone who fails has to go to an in-person briefing with security and corporate leadership.... Guarantee more attention is paid to the content when the possibility of looking like a dummy in front of the bosses is there (and yes I know the bosses will probably fail too...)
And of course everyone should agree better security implementation within systems, networks, apps, processes and etc... should be accomplished. Thats a no brainer. But by no means should we just disregard trying to ensure the user base who has never heard of half the shit talked about on Slashdot have some kind of basic knowledge of what can go wrong when they open up furry_kittens.flv on their work machine...
* OMFG break out your "I rooted you box and didnt even use a trojan" leet t-shirt.... Lame!
I'm not saying that any of these were used (or a newer version of the technology) at the protest but remotely controlled mini-insect UAVs have been around since the 70's. If you go to the CIA's website and take the virtual museum tour (https://www.cia.gov/about-cia/cia-museum/cia-museum-tour/index.html) you can actually look at the Dragonfly Insecothopter that has been declassified. From the CIA text:
"Developed by CIA's Office of Research and Development in the 1970's, this micro-UAV was the first flight of an insect-sized vehicle (insectothopter). It was intended to prove the concept of such miniaturized platforms for intelligence collection. Insectothopter had a miniature engine to move the wings up and down. A small amount of gas was used to drive the engine, and the excess was vented out the rear for extra thrust. The flight tests were impressive. However, control in any kind of crosswind proved too difficult."
Once again Im not saying these were used to spy on protesters, but I know people are going to be like "there is no such thing like this out there...." So I figured I would add in some info to show that this type of tech did exist.
The outsource of their security services or is that owned by the Unisys team?
Serious note: Big kudos to IBM on dropping this. IMO it shouldn't have been attempted to been patented in the first place, but at least for whatever reason it was dropped overall.
I think you should take a look at the search capabilities provided by something called FAST ESP. They are based out of Norway but used all over the US govt and tons of commercial entities (like LexisNexis). The website for them is www.fast-search.com and from people I talk to it is supposedly pretty robust and can do intelligent searches, data tagging, authorization against data and stores, geo-tagging, yada yada yada and etc...
W1z
"The leak was discovered when a supervisor saw a yellow liquid ``running into a hallway'' from under a door, according to one document."
Highly Enriched Uranium or Godzilla's Urine?!?!? You be the judge.
We all know that the Storm botnet is a big ol' spambotnet but what about Nugache? Thats the one I'm more concerned as it is fairly huge and just sits there in the dark waiting!!! Has anyone identified WTH that one is prepping for yet or are we still all in wait mode...
Insert Scary Music Here
According to other reporting this is not actually the first virus. The first virus really should be the Creeper virus that infected DARPANET systems back in the early 70's. According to Viruslist, the virus was written for the Tenex operating system and was capable of independently gaining access through a modem and copying itself to a remote system. Once infected, the system would display the following message: "I'M THE CREEPER: CATCH ME IF YOU CAN."
The Reaper was written to replicate and find Creeper and delete it. Then came Rabbit in 1974 which caused systems to crash because it screwed system performance due to replicating so fast (wonder why it was called Rabbit.....)
I honestly am divided on this. If the situation warranted it (i.e. Emergency situation that required immediate information to save lives) then I could understand this. But if this was just routine intelligence gathering I have to say I am disappointed at these agents. As someone said a few comments down this kind of abuse can lead to a serious mistrust of the organization and eventually continued abuses will lead to a level of oversight that will hurt the agents that follow the rules. Intel oversight is a good thing and I hope the fact that these agents are being punished restores some faith in IO.
The KASPAR Funding Bill is passed. The system goes on-line August 4th, 2007. Human decisions are removed from autistic teaching. KASPAR begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug.
One of the best first posts to an article ever. I 100% agree that this is really not all that interesting other than the media can sensationalize it because Los Alamos has been in the news previously... All it comes down to is an unclass laptop (and btw they will say that the laptop contained "sensitive" info in almost any case where a govt. system is stolen) and someone who typed up an email and didn't realize that something he type was classified... Or it could have even been he marked the email as class by accident and it really wasn't (have seen those 'intercepted' before as well lol).
Now for the laptop issue I vote for disc encryption to stave off loss of sensitive data. For the email issue use a system that checks content and stops info from leaving the network fully if deemed sensitive (Fidelis demo'd a product for us that does content based checks of emails, docs, IMs and etc leaving the network and kills the connection as soon as it thinks something sensitive is being sent out and generates an alert to security... Now this is more a guard against the accidental sending and not necessarily against a malicious user who can uber encrypt something with ROT-13... but its a decent solution that I would recommend to them as they are being slammed in the public right now...)
That this occurred just around the time that that FF4 Rise of the Silver Surfer was released???? Or maybe it disappeared because Chuck Norris was thirsty.
In another news story a reporter asked Chuck Norris what he thought of the lake disappearing. His response was "I was thirsty."
+3 Mod for Chuck reference
Ok so here is the deal. DHS' network is a mesh of multiple other networks that were already in existence. This is problematic in itself as it involves a heavy amount of integration and also borders upon borders of perimeter security (each disparate agency is part of the whole but may have its own controlled interfaces for some level of separation...
Now lets go to the article. To the laymen you say 800 compromises and they go into "WOW THAT IS SO BAD" mode, but seriously come on. The compromises are mostly workstations. Now that doesn't mean they get a free pass, but its not like they have had their core servers owned by foreign states... What they should be doing is not only scanning apps, DBs, and servers and patching/hardening them appropriately, but also client-side firewalling, config control of workstations, baseline security mechanisms for remote users, centralized virus/vulnerability patching... This article does not surprise me what-so-ever and it really is not an indication that DHS security is horrible. Its not the best, but 800 is not that bad.
I don't know but if it resembles Jar Jar in anyways I vote we nuke that rock and quickly!!!
So how long til we find out that there has been exploitation of this vulnerability for X number of months for the sole purpose of stealing our WoW accounts!!!
Why steal someone's real identity when you can steal their uber virtual Undead Priest identity and sell it for 16 bucks.
I say just build an unbelievably simple AIS that has zero functionality. Thats right: no user interfaces, no applications, no storage of information, not even a keyboard. Then we wouldn't have to worry about all that nasty malicious code, and keystroke loggers and... Oh crap someone just walked in and stole my do-nothing non-functional system. Guess I still need physical security.
I have the utmost respect for Bruce, but that statement is fairly ridiculous. Its like saying if we built automobiles that could never crash then we wouldn't need road rules. Basically you can sub anything into that statement. If we made food that wasn't unhealthy we would need Jared and annoying Subway commercials...
Anyone else catch that the person posting the article is also one of the Program Chairs for the event. Guess if you want free advertising /. is the way to go! Can't wait to see when Ron J. posts the article for P0rncon here!
I dont care if you disagree with me because you have the coolest sig on /. that I have seen so far lol!
There was an older DoJ study done showing some statistics speaking to use of guns for self defense purposes. The problem with these studies as noted by the individual doing them is that a large amount of people wont admit to using a gun for self defense because they werent supposed to be carrying the gun where the crime took place. But the stats are still pretty interesting, but old. I haven't been able to find any govt. sponsored current studies unfortunately, but I would not be surprised if similar results were found:
Self-defense with firearms 38 percent of the victims defending themselves with a firearm attacked the offender and the others threatened the offender with the weapon. A fifth of the victims defending themselves with a firearm suffered an injury compared to almost half of those who defended themselves with weapons other than a firearm or who had no weapon.
Care should be used in interpreting these data because many aspects of crimes including victim and offender characteristics, crime circumstances and offender intent contribute to the victims injury outcomes. About three-fourths of the victims who used firearms for
self defense did so during a crime of violence
Japan has very strict gun-laws, but does that stop Japanese gangs in the major and smaller cities from using guns? Also an interesting side note is that while gun related deaths in Japan are notably less than the US its suicide rate is double that of the US...
Fact is that crime in general (not just gun crime) is pretty rampant throughout America and I for one would feel a lot less secure if you took away the ability for me to protect my home if someone were to break in or carry a weapon if I had all the pre-requisite training to do so. (I am 100% for mandatory training for people who want to carry a weapon and I also don't believe fully automatic weapons are a necessity for the general populace.) But I do believe handguns, rifles, shotguns and the like are not overboard.
All that being said this is pretty much sidebar back and forth to what is a very unfortunate event that was caused by a very, very sick individual.
Opposite to you Switzerland is a country full of guns and avid gun users and also has very little gun crime. What it comes down to is that we already have an adequate amount of gun laws. What you don't want to do is take away guns from the people who use them in a legal fashion each and every day for home protection, sport and etc... In the US it is EXTREMELY easy to get illegal guns and criminals do this each and everyday. In fact many times those carrying guns legally are often instrumental in stopping crimes from occuring.
The fact is that we have a fairly sizable and fairly unstable nation and 1 out of every XX normal people can basically go stark crazy. Its unfortunate, but it happens. Not much has been released yet other than this was a student (according to a Vir. Rep Forbes) and that the student was male and turned the gun on himself. I have a feeling its going to be another very disturbed white male (maybe even an ROTC student) and this will quickly get turned into a media fiesta attacking everything from video games to music to guns themselves and that is unfortunate.
Blocking Wikipedia because its not a credible source.... Hmmm maybe we should block some of our own US textbooks that aren't very credible either. You know the ones that casually gloss over the genocide of the American Indian, downplay the role of the Russians in WWII. On a large part Wikipedia can be extremely helpful and very accurate. There are times facts are off, but how many times in school did we have to be told to disregard pages of text because the author was incorrect or the information was out of date...
And to be very frank High School teachers are not necessarily very smart (even in the subject(s) they teach! If I had a test of 100 random science, history, literature and other questions and had to choose the option of having a couple of teachers to assist me take it or access to Wikipedia I probably would choose access to Wikipedia. And yes I know this sparks the whole "teachers know how to teach information and that is what is important..." but to be honest I have seen studies state that learning through online mechanisms with the benefit of interactive visual aids provides much better absorption rate than sitting in a room listening to someone drone on about something they probably don't know much about in the first place.
So ban Wikipedia and MySpace and all the other dangerous things that you think are "non-credible" or a waste of taxpayer's money (which is laughable because I could point to a few tenured teachers at my old HS that moreso fit that bill..." and later on we can look at this as the new form of book burning except now we just use blocks and filters...
Ok so 2 of the 3 bugs result in a DoS type situation and the third could allow for execution of arbitrary code... Using a Fuzzer dont you typically find DoS/Reboot/Crashes first and then more research to include debugging can show where in memory the crash occurs and then you move into the world of tailoring an overflow and allowing for execution of arbitrary code...
To me DoS'ing a client-side app like Word is an annoyance, but I would expect to see exploit code coming that does do code execution or privilege escalation of some sort and then MS will patch it on Tuesday just like they've been doing for years...
Jenni Engebretsen has proposed that DNC shall now stand for DO NOT COPY... She also will be instituting a new convention which will be named the Democratic Reform Meeting (DRM) which will be held monthly at a Regional Information Assembly Area (RIAA). She will also be engaging in a heavy handed campaign to support Military Personnel Aid and Assistance (MPAA).
DOD To Boldy Route Where No Man Has Routed Before.... These are the voyages of the Star switch Cisco...