1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. We've had very few donations over the year. I'm going to be short soon as some personal things are keeping me from putting up the money. If you have something small to contribute it's greatly appreciated. Please put your screen name as well so that I can give you credit. Click here: Donations
    Dismiss Notice

IT security

Discussion in 'Tilted Gear' started by rogue49, Nov 22, 2014.

  1. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    I wanted to create a thread about this because the topic comes up so much.
    It's ubiquitous.

    So I'm dealing with computer security all the time...both personal and professional.

    A woman I'm dating just had her laptop pac-man'd by a malware
    I did battle with it...and now I have a policy of not touching systems of those I'm seeing. (put that up there with politics, religion and family...)

    And I typically grant privs and seal up the holes of the databases I work on.

    And IF you think you're invulnerable...think again.

    They just figured out how non-connected systems can be hacked wirelessly. - LINK

    And I'm thinking beyond the social engineering scenarios they're thinking...
    Wouldn't it be easier to just plant something in a component/part vendor??
    I doubt the vendor facilities are as locked-down. They're typically just a manufacturing plant or warehouse.
    Just plant your seed on a replacement part and wait.

    Interesting to think about...hmm?
     
  2. Stan

    Stan Resident Dumbass

    Location:
    Colorado
    Must be true love if you're pulling malware of her PC. That or she's really hot.

    I'm a bit of a dick when it comes to that sort of thing. There's a reason that my wife and dad are using Chromebooks. Their technical support got tired of removing shit and/or reloading them.

    I believe that Stuxnet was engineered along the lines that you are thinking.
     
    • Like Like x 1
  3. cynthetiq

    cynthetiq Administrator Staff Member Donor

    Location:
    New York City
    Scorpion mentioned air gap about a machine that wasn't connected to the internet but was still connected to something. Arrrgh! I can't watch that show.

    The white hat guy who discovered this couple of years ago made for an amazing story. He was perplexed to find a pc he setup never connected to the network was infected by a machine nearby.

    Here are some additional tips

    Schneier on Security: Air Gaps
     
  4. snowy

    snowy so kawaii Staff Member

    I need to get my dad a Chromebook. That's a really good idea. My dad gets convinced he needs a new computer every couple of years. We've taught him how to run the different anti-virus programs and malware programs, and he does a reasonably good job of doing so. But somehow, he and my mom unintentionally download tons of bloatware. This computer has lasted a lot longer than the others due to our lessons, so I'm considering that a win.

    I'm married to a former network testing engineer. If I didn't take care of my machine, I'd never hear the end of it.
     
  5. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    Nope, just a horny nice guy...who's a bit stupid for a geek. :confused:


    I understand completely.
    The one I can't watch is Person of Interest....the whole premise of the show violates what I know about system connectivity and data sharing.

    Forget about even if it's technically feasible...you've got security (nuge), compatibility, field definitions, dynamic coding, legal privs...much less just territorial issues.
    I don't care if you're a "genius"...you're not psychic...there's no way you'd be able to know how get into something immediately.
    There's a lot of trial & error.

    Love the way the treat tech as magic.

    Security is not just a road-block to get around...it's a maze to figure out.
     
  6. redravin

    redravin Cynical Optimist Donor

    Location:
    North


    I hate watch Scorpion just because it annoys me so much.
    What they usually do to get around the whole trial and error bit is "I recognize this, it's something this person designed that I totally have memorized so I can get get past it." or they have a handy algorithm that will bust through whatever is there.
    My favorite is the guy who wrote a program that analyzed all the hit songs and then wrote guaranteed hits.
    So how did it account for "Valley Girl" or "In the year 2525" or did it discard them as outliers?
    /endrant/

    My form of security is being careful in where I go and what I do, running scans on my computer on a regular basis and keeping updated on the what security holes are out there.
    The problem as I see it it that the average user is never going to be able to keep up with the hardcore thief (I refuse to use the hacker in this context).
    If they want to come after you computer, they can and will.
    The only thing you can hope for is that you will be low on the radar and not worth their time.
     
    • Like Like x 1
  7. Stan

    Stan Resident Dumbass

    Location:
    Colorado
    Mine is keeping very good backups. I can rebuild my pc in about 3 hours.
     
    • Like Like x 2
  8. ASU2003

    ASU2003 Very Tilted

    Location:
    Where ever I roam
    I had this idea a long time ago. At least to categorize different types of music. There are some rhythms that hit on something in the brain, and then there is the creative part that separates songwriters from the rest of us.

    There area few chords that can be used to make most hit songs however...


    View: http://youtu.be/5pidokakU4I


    Anyways, for security I just make backups, and backups of the backups. I don't keep many files on the laptop itself. I have never needed to wipe my Macbook, but I could and be back up like nothing happened in a few hours. I like the Time Machine method of backing up the computer, even though I have only needed to use it once to find a file that was accidentally deleted.

    It is the banking industry, credit cards, defense dept., and a bunch of companies that need to improve their security. And the airgap hacks and other methods are pretty crazy.
     
  9. Street Pattern

    Street Pattern Very Tilted

    Last edited: Nov 23, 2014
    • Like Like x 1
  10. redravin

    redravin Cynical Optimist Donor

    Location:
    North
    I just saw this.
    Symantec is talking about a very high tec piece of malware that they have found called Regin.
    They say it was probably designed by a country rather than a person and it actually works in five stages.
    The damn thing targets ISPs, than spreads from there to major companies.
    It has stealth features and they can't figure it out because they need to see it in all five configurations.

    Computer spying malware uncovered with 'stealth' features: Symantec| Reuters

     
  11. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    You know...I'm the white hat that usually fills in the holes that prevents security breaches and monitors them. ("beyond parameter" security, encryption (data, etc) , real-time auditing, monitoring, analysis and testing (probes and more)
    BUT...I do this as a job.
    And I keep it separated from my personal life...nothing goes back & forth.

    I really don't understand those who attempt get in and extract...much less damage.
    I mean I get it, how...but I don't get it, why...it's really not a interest as a "hobby". Are they bored?? Do they do it because it's a challenge? Just because it's there?
    I get spies...that's their job.
    But just random ones that do it for the Lutz and cred.

    Whatever...just curious.

    ---------

    In the meantime, in truth...I find that most security breaches are NOT because of any incredible hacking. (...or high level tech either)
    But because we're dealing with humans on the target side.
    There is almost always a lack of followup & followthru.
    A "good enough" attitude.
    No after the fact testing or probing.
    No monitoring. ...Or even looking at the logs if they exist. ...Or the ability of the security folk to actually analyze and drill down on what they're supposed to be studying.

    MOST security folk are simply ex-military or police (no offense to them) ...BUT often they lack the IT skills to really know or understand...or care about what they're supposed to be securing. Its just about checklists, and hand smacking.
    MOST auditors...again, just clerks going thru the bureaucratic checklist...trying "gotchas" to justify their own existence...but not really getting real security...or HOW to execute it.

    MOST management doesn't want to deal with holes or changes, it's a "If it ain't broke, don't fix it"
    Hey! Isn't security about prevention?? Duh.
    Nope...I have the biggest political battles to just get things that are OBVIOUS fixed. (Uhh...a DB link with a simple password from a national website directly into the Treasury??? Known by 150 people over 5 yrs Hole, y'think???)

    Good example, a Direct of Information Security who asks me to "certify" to him that I cannot get into a encrypted dataset which I setup myself?? Uhh...certifying yourself?? Duh...

    This is what I'm talking about...IF insiders would just take common sense steps.
    Fix the holes.
    Look at the logs. ANALYZE the logs.
    Setup monitoring and auditing.
    Test, probe. ALL levels. EACH level.
    And so on...

    You would get a LOT less issues.
    But they don't
    People are lazy and short-sighted.

    So don't be surprised folks...if you spend a lot of money on a lock...and forget to lock it. :rolleyes:
     
    Last edited: Nov 23, 2014
    • Like Like x 3
  12. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    Well, I guess IT security concerns have reared it's ugly head again...with an international political twist.

    Seems that North Korea has been a bad boy.
    Hacking into Sony...and revealing its info.
    This has created chaos in Hollywood...and cost quite a bit of money in a cascading effect.

    How the U.S. Could Retaliate Against North Korea

    Now, I don't want to get into the geopolitical consequences...but in a way, it's harder to hurt NK than Russia...they have less to lose and act upon.
    I want to focus on the IT security aspects...and the value of simple info and communications.

    In a way...they've done the US a favor...shown us the holes in our cyber policy and the consequences of not acting on cyber activities to companies.
    Nothing is safe anymore...even your friggin' email. (as if they couldn't figure it out before... :rolleyes:)
    But this really is a bit of inconsequential damage...a kick in the shin...but one that was distinctly painful...and sent shockwaves to the "brain" of the media's powers that be.

    This is nothing...what would happen if a truly skilled player or group did a "copy-cat" scenario??
    Anonymous?
    China, Russia??

    Or more ruthless or savvy, like ISIS? (yes, ISIS is media savvy)

    It's not just government documents and secrets at risk.
    There is damage from just letting "inappropriate" information out.
    No shit.

    And so...hopefully, companies learn to encrypt their communications. (yes, I know it will be more expensive and difficult....WAAA...y'hear the world's smallest violin playing, you multi-million dollar firms??)
    And fill in the holes.
    And instruct their players, the importance of being aware that ANYTHING they put down on ANY media...and be copied and used negatively. (..."you have the right to remain silent")

    How many times do you have to get burnt,
    before you figure it out?

    Stop being cheap.
    Stop being oblivious.
    Figure it out.

    No need to be paranoid...just be aware and thorough.
    Followup, follow-thru.
    Clean, rinse, repeat.
     
    Last edited: Dec 18, 2014
  13. Street Pattern

    Street Pattern Very Tilted

    Sorry -- there will be plenty of very stern talk, and absolutely zero action.

    Encrypted communication? Awareness and thoroughness? Cybersecurity followthrough? By U.S. corporations?

    Ha. We will see none of these.

    Sony will be seen as an isolated self-inflicted catastrophe (how dare they make a movie that upset somebody!), not anything remotely relevant to ordinary process of moneymaking.

    Your expectations are wildly optimistic.
     
    Last edited: Dec 18, 2014
    • Like Like x 1
  14. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    Oh, they aren't my expectations...I'm just as cynical as you.
    I'm just recommending it.

    Then again, many doctors recommend their patients stop smoking and cut down on eating too much... ;)

    And like doctors, thanks for the business...keeps me busy and employed.
    Just don't wonder why they're coughing and can't climb stairs...and don't wonder how people could get into their shit.
     
    Last edited: Dec 18, 2014
    • Like Like x 1
  15. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
  16. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    A Quick Guide to the Worst Corporate Hack Attacks

    A very interesting overview.
    One thing that everyone tends to forget is the impact to the "little guy".
    While they focus on the scale, corporate fiscal impact and company reputation...they don't account for the impact to all the folks who got their data stolen.

    What IS the fiscal impact to them?
    What is the logistic and legal impact to them??

    They would be able to come to an estimate after some months after the breach.

    And what steps were taken to resolve it?
    Prevent it again?

    I find that most management is only worried about it from a "save face" standpoint...and to prevent class-action lawsuits.
    What inconveniences THEM...not the people the records were about.
     
  17. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    I wanted to answer this here...so it could focus on the security and not take away from the politics (plus I'm posting way too damned much in politics, friggin becoming the rogue show :rolleyes:)

    Policy is solid...has been for a long time. (I'm acting IT security coordinator for my DOJ gig, not my main role...they just have me doing it because I have the most cybersecurity experience)

    Problem is 3 fold...
    Execution, attention and mindset.

    People and mgmt don't give it priority until they have to...they find it annoying, like homework.
    They don't followup or follow-thru on it.
    It interferes with their momentum and making things function easy and convenient.
    Leaders don't want to authorize fixes because it takes time, money, effort and testing. They are risk adverse.
    Most cybersecurity folk are ex military or police who act as clerks hand slapping, but they don't REALLY know computers and how to probe, evaluate, monitor or drill down in systems or logs. (or they forget to)

    So it's like a speed limit which everyone ignores including the cops.

    Back when Hillary was doing her thing (5 yrs ago), most weren't aware...govt mgrs weren't pushing it as much. Not as much training.
    Now...with all the hacks.
    Mgmt is aware, people are more aware, policy is pushed.
    So everyone knows "right & wrong", they're trained in it. And people now say, "How could you??"
    BUT
    Still they do NOT like to deal with it.
    There is still a challenge with attention and execution.

    Most security is simply an accumulation of settings done over time as they get to them or are allowed to.
    OR slammed into place AFTER there's been a breach.
    BUT then it is forgotten about...as they move onto more interesting things.

    You see the difficulty now??
    People treat cybersecurity like taxes.
     
    Last edited: Jul 10, 2016
    • Like Like x 2
  18. martian

    martian Server Monkey Staff Member

    Location:
    Mars

    You know Bruce Schneier and didn't offer to introduce me?

    I don't think we can be friends anymore.
     
  19. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    What our cyberwall knows

    It's not that we don't have the tech
    It's not that we don't have the policy
    It's the lack of followup and follow-through.
    And idiot posturing like this. :mad:
     
  20. rogue49

    rogue49 Tech Kung Fu Artist Staff Member

    Location:
    Baltimore/DC
    Virgin Media breach 'linked customers to porn'

    Yep, it’s not just about your finances...initially

    Often your personal info can be used against you
    In a hypocritical moralistic world
    Who judges you by double standards
    And take action against you
    And hurt your relationships

    Ruthless criminals know this
    And can us it to leverage you to gain cash.

    Adult sites have an obligation to secure as much as any bank
    ANY biz has that obligation

    It’s the cost of doing business these days.
    Not costing your clients’ face.


    (* Thanks to the TFP for providing a frank platform to talk about these adult matters.
    Because ironically the typical FB account cannot post topics like this for the same reasons.
    ...And others sites have memberships that can’t be adult)
     
    • Like Like x 1