The answer is 'scope creep'. Penetration testers operate under 'normal use' assumptions and will attack system and interfaces 'head-on'. For example, if you have a password-protected interface then it is assumed that password is not know and cannot be known unless said interface can be manipulated in divulging it. Generally speaking you assume that policy and procedures are followed. While you could always torture sysadmin for passwords "getting in" this way will not tell you much about system security. As such, penetration testing is not about "getting in" but about testing effectiveness of system protection against specific threat level/sophistication.
Social engineering attacks are a bit different. When you test against social engineering attacks it isn't about getting in but about testing effectiveness and rate of compliance with policy.
So what tests mentioned in the OP identified ? Well, they identified that policy and procedures are not being followed in granting access to the network and hardware. Simple "assign asset to employe ID" check would have stopped this, so I suspect that procedures are flawed or outright ignored.
They also identified that spear phishing attack succeeded, this means that a) users have unnecessary privileges and/or b) intrusion detection is inadequate. The OP does not identify how long backdoors they installed remained undetected. They also did not specify if they gained potential access or actually managed to extract useful information. Outright preventing sophisticated spear phishing in a large organization is very very hard, but identifying and mitigating is fairly routine and frequently automated.
With enough effort you could spear phish anyone. For example, if you date, marry me, start a family, and live with me for a decade or two you can get me to divulge my sensitive passwords. If I was head of CIA it might be even worthwhile.
With this type of attacks questions is not how do you prevent attackers from "getting in" with social engineering, but instead mitigating damage and putting roadblocks in place to delaying them.
I have read the full article, and "...with Fake Social Media ID" actually makes no sense. Social Engineering someone to bypass all procedures and give out access to strangers is a) not penetration testing b) has very little to do with social media. New Year card attack was spear phishing combined with inadequate IDS.
Here is what pen testers succeeding would look like: Leveraging zero-day exploit in the popular social media platform pen testers gained remote access to Gov't Agency's internal network that for some reason was configured to use Facbook Login as an acceptable remote authentication protocol.
To "Break Into" you have to get hired, get past security clearance process and then get hired into position that has access to something valuable, then succeed at taking it. When you are willing to manufacture lies "job offer" is an easy part.
Drivers isn't the main reason behind low rates of adoption. Valve's move won't do anything for getting non-SteamOS Linux flavors on desktops since there still huge "RTFM noob" problem that is in my opinion main obstacle to general adoption of Linux.
Thankfully you still can get 'only-car' from Subaru if you buy basic trim. I am not sure how long this will still be the case, so you might want to accelerate your purchase and double-down on maintenance. Your next one will probably have to last you into retirement.
>>>Please don't make excuses for the incompetence of the auto industry.
It isn't incompetence, it is inability to keep up with rapid changes. These things are trivial to/. crowd because we all in IT/CS-related fields. Now imagine if in order to patch your OS you had to rebuild a hydraulic pump in your computing device, because suddenly all of them had to include these.
Stop playing games with redefining wealth until is suits your point of view. This is the kind of flawed thinking that assigns more value to a new economy car today than comparable economy car 20 years ago. In reality you keep driving shitty cars your entire life, maybe now with airbags and only due to government regulation, and not any better off.
Wealth is relative term. It is % of total pie. You are wealthy when you have means to acquire assets. Yes, in absolute value you now have more, but so is everyone else, and competition for limited resources leaves your running in place. This is like Alice in The Wonderland - you have to keep running just to stay in place.
Your claims that middle class is now better off than X years ago because they, for example, have access to IPhone 5, when before they only could get IPhone 2 is absurd.
The poor of today live like poor always lived - in abject poverty. The hand-down electronics do not make them better than "kings of the dark ages".
This article is flawed because it relies on historical patterns when we are entering entirely different age. Industrial Age is over and we are transitioning into Information Age. Comparing pre-industrial agricultural society to early industrial age is much better comparison, but then it doesn't support the premise. Few of us that are familiar with the history will tell you that this transition resulted in a lot of societal ills and displaced farmers and merchants did not all find jobs in the factories. Few that did find jobs were ruthlessly exploited and did not at all benefit from this transition.
Comparing telephone operator jobs to telemarketing jobs won't tell you what will happen when automation combined with a growing population will make any kind of job scarce. It is very possible that within generation only top 10% of intellectual ability will be needed, rest will be automated away. Even today we know that productivity already entered exponential growth period. We also know that benefits of this productivity are not reflected in growing wages - nearly all of the extra wealth created by this productivity increase is channeled into corporate dividends and not wages..Pattern is very clear - less workers doing more for about the same pay. This cannot support growing unemployed class by creating service job opportunities, unless you are talking McJobs.
Attempting to portray critics as Luddites is 'poisoning the well' further compounded by willful denial of empirical evidence of the societal trends to the contrary. Yes, author is correct - technology is morally neutral, it is nether good nor bad. What we do with it - and presently as a society we chose to enrich 1% of our population, is what we should focus on.
I read TFA (don't judge) and all I could see is feature creep and delays written all over the project. EA's death marches to release should be avoided at all costs, but polar opposite is not any better.
"Internet never forgets" is not a problem if you were an adult when social media first became popular. For young people today it will be cruel and unusual punishment once they turn adults.
I don't think it is reasonable to judge someone based on what they said many years ago. People change. People grow up and become adults.
At the same time we know that legislative solution like that will be ineffective. Only social change would work, but that won't happen until our generation is around. So they are screwed for at least another decade(s).
Then your interpretation of the constitution leads to unrealized and hollow right. How are you going to realize your right when means of communication are censorious?
A car analogy: You buy a car, but it turns out that all roads around your house are private. Owners decide not to let you drive on their property. Sure, you can still get into your car and legally drive it to the end of your driveway, but you no longer have a way to legally use your car.
Marketplace of ideas is intellectually bankrupt idea when you take it this literally. It meant to be a concept that approximates flow of information on a sufficiently large scale, not a specific message or idea.
Even then it is somewhat flawed, it assumes that masses are rational and it assumes that everyone has perfect access to the information. Both of these assumptions are demonstrably untrue.
This is not a feasible solution, unless you also suggest that "hook up your own web server" is part of grade school education. With something as important as Free Speech you need to give access to it to everyone, and that includes troglodyte science denialist that is also very likely a 12:00 flasher. Even if we ignore this very important aspect, there is still a question of projection and audience. How many people will be accessing your blog vs. how many people are accessing social media? If you want to get the message out, "your own web server" is about the worst way to do it. Even if you succeed at getting the message out, doing so will probably crash it and/or bankrupt you with bandwidth bills.
All of this is very dangerous trend, where public and private entities (corporations) control majority of our speech. How can one exercise freedom of speech when in 21st century nearly all speech is digital, over this or that walled garden?
We have Net Neutrality protecting data transmission, where is our Digital Speech Neutrality?
Solved, as in destroyed the system where people stopped wriing reviews?
I can easily disregard any Google+ comments, because now with certainty I can say that reviewers ether lack clear judgment and penned a review under their real name or are accepting monetary compensation for exposing themselves to a potential harm.
From the very underlying infrastructure, where you are who you declare you are, to all kinds of social interactions enabled by technology Internet is pseudonymous. 'Real Name' is a very recent fad pushed on us by social sites that are unhappy with limitations imposed on their data mining (and profits) by the very nature of the Internet.
Internet does not forget and you have no control over audience of any of your communications. Considering vast number of people involved, you can't even assume that your audience is reasonable or objective.
As a result using Real Name is not unlike talking to a room of armed schizophrenic psychopaths - no matter what you say you have very little control, regardless of presentation or content, as to if you are going to end up lynched for what you said.
FIPS is a financial and government-facing certification. FIPS guarantees correct implementation of cryptographic protocols according to a set of standards. It does not guarantee that there are no undiscovered (or backdoored) weaknesses in your implementation. This is still useful function to entities that require this certification. Corporate liability and loss due to getting hacked because of incorrect cryptographic implementation is orders of magnitude greater than liability and loss due to getting exposed NSA backdoors. It is all about risk management, and it says FIPS is still good idea.
Now, if you want personal security this equation changes a bit - possibility of personal harm due to hypothetical NSA backdoors goes slightly up and your likelihood of getting targeted to get pwned goes drastically down. FIPS is still likely net benefit, but diminished.
Keep in mind that there is no such thing as perfect security. You have to ask, how likely that this specific implementation was backdoored by NSA and what the worst possible outcome of such occurrence?
Slashdot Mirror
This is almost 6 years of continuous operation. How long do you think your backlight will last?
The answer is 'scope creep'. Penetration testers operate under 'normal use' assumptions and will attack system and interfaces 'head-on'. For example, if you have a password-protected interface then it is assumed that password is not know and cannot be known unless said interface can be manipulated in divulging it. Generally speaking you assume that policy and procedures are followed. While you could always torture sysadmin for passwords "getting in" this way will not tell you much about system security. As such, penetration testing is not about "getting in" but about testing effectiveness of system protection against specific threat level/sophistication.
Social engineering attacks are a bit different. When you test against social engineering attacks it isn't about getting in but about testing effectiveness and rate of compliance with policy.
So what tests mentioned in the OP identified ? Well, they identified that policy and procedures are not being followed in granting access to the network and hardware. Simple "assign asset to employe ID" check would have stopped this, so I suspect that procedures are flawed or outright ignored.
They also identified that spear phishing attack succeeded, this means that a) users have unnecessary privileges and/or b) intrusion detection is inadequate. The OP does not identify how long backdoors they installed remained undetected. They also did not specify if they gained potential access or actually managed to extract useful information. Outright preventing sophisticated spear phishing in a large organization is very very hard, but identifying and mitigating is fairly routine and frequently automated.
With enough effort you could spear phish anyone. For example, if you date, marry me, start a family, and live with me for a decade or two you can get me to divulge my sensitive passwords. If I was head of CIA it might be even worthwhile.
With this type of attacks questions is not how do you prevent attackers from "getting in" with social engineering, but instead mitigating damage and putting roadblocks in place to delaying them.
I have read the full article, and "...with Fake Social Media ID" actually makes no sense. Social Engineering someone to bypass all procedures and give out access to strangers is a) not penetration testing b) has very little to do with social media. New Year card attack was spear phishing combined with inadequate IDS.
Here is what pen testers succeeding would look like: Leveraging zero-day exploit in the popular social media platform pen testers gained remote access to Gov't Agency's internal network that for some reason was configured to use Facbook Login as an acceptable remote authentication protocol.
To "Break Into" you have to get hired, get past security clearance process and then get hired into position that has access to something valuable, then succeed at taking it. When you are willing to manufacture lies "job offer" is an easy part.
Are you telling me people actually buy cars for features like OnStar? There is demand for this?
My guess is that people buy for "remote assistance", or "I wanted backup camera that was part of technology package" reasons.
Drivers isn't the main reason behind low rates of adoption. Valve's move won't do anything for getting non-SteamOS Linux flavors on desktops since there still huge "RTFM noob" problem that is in my opinion main obstacle to general adoption of Linux.
Thankfully you still can get 'only-car' from Subaru if you buy basic trim. I am not sure how long this will still be the case, so you might want to accelerate your purchase and double-down on maintenance. Your next one will probably have to last you into retirement.
>>>Please don't make excuses for the incompetence of the auto industry.
It isn't incompetence, it is inability to keep up with rapid changes. These things are trivial to /. crowd because we all in IT/CS-related fields. Now imagine if in order to patch your OS you had to rebuild a hydraulic pump in your computing device, because suddenly all of them had to include these.
Stop playing games with redefining wealth until is suits your point of view. This is the kind of flawed thinking that assigns more value to a new economy car today than comparable economy car 20 years ago. In reality you keep driving shitty cars your entire life, maybe now with airbags and only due to government regulation, and not any better off.
Wealth is relative term. It is % of total pie. You are wealthy when you have means to acquire assets. Yes, in absolute value you now have more, but so is everyone else, and competition for limited resources leaves your running in place. This is like Alice in The Wonderland - you have to keep running just to stay in place.
Your claims that middle class is now better off than X years ago because they, for example, have access to IPhone 5, when before they only could get IPhone 2 is absurd.
The poor of today live like poor always lived - in abject poverty. The hand-down electronics do not make them better than "kings of the dark ages".
This article is flawed because it relies on historical patterns when we are entering entirely different age. Industrial Age is over and we are transitioning into Information Age. Comparing pre-industrial agricultural society to early industrial age is much better comparison, but then it doesn't support the premise. Few of us that are familiar with the history will tell you that this transition resulted in a lot of societal ills and displaced farmers and merchants did not all find jobs in the factories. Few that did find jobs were ruthlessly exploited and did not at all benefit from this transition.
Comparing telephone operator jobs to telemarketing jobs won't tell you what will happen when automation combined with a growing population will make any kind of job scarce. It is very possible that within generation only top 10% of intellectual ability will be needed, rest will be automated away. Even today we know that productivity already entered exponential growth period. We also know that benefits of this productivity are not reflected in growing wages - nearly all of the extra wealth created by this productivity increase is channeled into corporate dividends and not wages..Pattern is very clear - less workers doing more for about the same pay. This cannot support growing unemployed class by creating service job opportunities, unless you are talking McJobs.
Attempting to portray critics as Luddites is 'poisoning the well' further compounded by willful denial of empirical evidence of the societal trends to the contrary. Yes, author is correct - technology is morally neutral, it is nether good nor bad. What we do with it - and presently as a society we chose to enrich 1% of our population, is what we should focus on.
What wrong with a wireless keyboard and mouse? PC crowd does not want a console controller, why try to force it?
I read TFA (don't judge) and all I could see is feature creep and delays written all over the project. EA's death marches to release should be avoided at all costs, but polar opposite is not any better.
"Internet never forgets" is not a problem if you were an adult when social media first became popular. For young people today it will be cruel and unusual punishment once they turn adults.
I don't think it is reasonable to judge someone based on what they said many years ago. People change. People grow up and become adults.
At the same time we know that legislative solution like that will be ineffective. Only social change would work, but that won't happen until our generation is around. So they are screwed for at least another decade(s).
Sorry, didn't read TFA, what are we talking about again? Ah, comments.
You will never change them. Find a company that allows flex hours and doesn't manage by putting out fires with more fires. They are out there.
So I take it you are fine with 'free speech zones'?
Then your interpretation of the constitution leads to unrealized and hollow right. How are you going to realize your right when means of communication are censorious?
A car analogy: You buy a car, but it turns out that all roads around your house are private. Owners decide not to let you drive on their property. Sure, you can still get into your car and legally drive it to the end of your driveway, but you no longer have a way to legally use your car.
Marketplace of ideas is intellectually bankrupt idea when you take it this literally. It meant to be a concept that approximates flow of information on a sufficiently large scale, not a specific message or idea.
Even then it is somewhat flawed, it assumes that masses are rational and it assumes that everyone has perfect access to the information. Both of these assumptions are demonstrably untrue.
>>>Hook up your own webserver to the net.
This is not a feasible solution, unless you also suggest that "hook up your own web server" is part of grade school education. With something as important as Free Speech you need to give access to it to everyone, and that includes troglodyte science denialist that is also very likely a 12:00 flasher. Even if we ignore this very important aspect, there is still a question of projection and audience. How many people will be accessing your blog vs. how many people are accessing social media? If you want to get the message out, "your own web server" is about the worst way to do it. Even if you succeed at getting the message out, doing so will probably crash it and/or bankrupt you with bandwidth bills.
All of this is very dangerous trend, where public and private entities (corporations) control majority of our speech. How can one exercise freedom of speech when in 21st century nearly all speech is digital, over this or that walled garden?
We have Net Neutrality protecting data transmission, where is our Digital Speech Neutrality?
Can someone explain this with a car analogy?
Solved, as in destroyed the system where people stopped wriing reviews? I can easily disregard any Google+ comments, because now with certainty I can say that reviewers ether lack clear judgment and penned a review under their real name or are accepting monetary compensation for exposing themselves to a potential harm.
From the very underlying infrastructure, where you are who you declare you are, to all kinds of social interactions enabled by technology Internet is pseudonymous. 'Real Name' is a very recent fad pushed on us by social sites that are unhappy with limitations imposed on their data mining (and profits) by the very nature of the Internet.
Internet does not forget and you have no control over audience of any of your communications. Considering vast number of people involved, you can't even assume that your audience is reasonable or objective.
As a result using Real Name is not unlike talking to a room of armed schizophrenic psychopaths - no matter what you say you have very little control, regardless of presentation or content, as to if you are going to end up lynched for what you said.
No matter how good your encryption it still can be easily decrypted with a rubber hose.
FIPS is a financial and government-facing certification. FIPS guarantees correct implementation of cryptographic protocols according to a set of standards. It does not guarantee that there are no undiscovered (or backdoored) weaknesses in your implementation. This is still useful function to entities that require this certification. Corporate liability and loss due to getting hacked because of incorrect cryptographic implementation is orders of magnitude greater than liability and loss due to getting exposed NSA backdoors. It is all about risk management, and it says FIPS is still good idea.
Now, if you want personal security this equation changes a bit - possibility of personal harm due to hypothetical NSA backdoors goes slightly up and your likelihood of getting targeted to get pwned goes drastically down. FIPS is still likely net benefit, but diminished.
Keep in mind that there is no such thing as perfect security. You have to ask, how likely that this specific implementation was backdoored by NSA and what the worst possible outcome of such occurrence?