Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment: Re:Blameless Random Employees? (Score 1) 322

And who isn't to say that, as part of the hack, once they found someone high enough with the right credentials, they didn't create a couple of AD accounts? In mid-size organizations, identity management is dealing with thousands of accounts, having to create numerous exceptions for specific people and applications (oh, this Task Scheduler task can't allow for the account to change--and it needs super-duper-Admin rights to these particular servers; this Windows Service that runs on the production CRM server can't change password). So, a hacker could just hide some new accounts with fake descriptions for applications in-house (e.g. "SQL-Salesforce sync"), give them super rights even allowing for password changes, and presto... Or worse, pick such a valid account and start adding servers it has rights to. Security by Obscurity (ironically on the security platform).

Comment: No real need for updates, either... (Score 2) 322

The other advantage of the air-gapped network is that you no longer "need" to update the computers within the network with most of the security updates that come across Windows Update. Build them from DVDs & SPs with known hash values, never having connected them. Who cares if those PCs are still stuck on Win7-SP1 or Win8.1 RTM. Their primary attack vector (e.g. the big bad Internet) is unavailable. Even if these machines are built with malware, the worst that could happen is that they get erased, but the data still doesn't go out.

But what about e-mail? IM? Interwebs? Facebooking? Really??? Buy a 2nd, low end PC, wirelessly connect it to the corporate network, and volia! Hell, you could even use a KVM for this purpose, if you'd rather not spring for the expensive $400 laptops. Don't take the easy approach of connecting the networks in a way that only allows for RDP sessions--a determined hacker with unlimited funds (e.g. state sponsors) would figure that one out.

But what about Adobe Cloud or whatever program needs to connect to the Internet? Most such programs have alternative options for air-gapped networks (e.g. a license server), and a company like Adobe could be brow-beat by a company like Sony into disabling phone home. For high-risk applications where you can't talk your vendor out of phone-home, it's time to look for a new vendor...

Comment: Brian Krebs received one & posted it... (Score 4, Informative) 250

by BUL2294 (#48604101) Attached to: Sony Demands Press Destroy Leaked Documents
Brian Krebs got one, reported on it, and was kind enough to post it for the world to see Sony for their true colors...

Article: http://krebsonsecurity.com/201...
Demand Letter: http://krebsonsecurity.com/wp-...

I can hear Barbara Streisand's voice now... (Well, what I hear is "her" voice from the Mecha-Streisand "South Park" episode...)

Comment: Re:Something is dodgy here. (Score 2) 184

I wouldn't be surprised if someone at Sony were responsible for sending this email as a false-flag operation.

False-flag operation or not, that's a crime. If someone within Sony (or hired by Sony--e.g. their cybersecurity contractor) sent such an e-mail, that person is doing the equivalent of "screaming 'fire' in a crowded theater, when there is no fire". Not protected by free-speech and that person should be criminally charged with a felony.

Comment: Re:$1tr question--Why is all this Internet-facing? (Score 1) 528

by BUL2294 (#48531383) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought
Explain how airgapping doesn't make you immune to Windows Updates? If your PC can't talk to Microsoft, and unless you're going old-school sneakernet with flash drives, how is it going to get updates? Most Windows updates solve some sort of security hole, usually caused by the execution of malicious software or some sort of security hole that's exploitable from the Internet. Take away "the Internet" and lock down what people can execute on their PCs within "the island" and problem solved. Yes, you now have a known unpatched security hole--but one that can't be exploited without access to the Internet. No malicious links, attachments, unauthorized software, browser toolbars, etc. Just people using limited specific software & specific versions on (for example) Windows 7-SP1.

As has been proven by Stuxnet and this breach, unlimited state-sponsored funds ALWAYS beats "networks with layered protection". Big-name companies that spend shitloads of money on security still get breached. 15+ years of "breeding a culture of corporate security" also hasn't worked. But if you require the network to have a physical presence, then you've eliminated your primary attack vector.

Comment: Re:$1tr question--Why is all this Internet-facing? (Score 1) 528

by BUL2294 (#48530431) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought
So how did companies handle such networks 20+ years ago, where employees in "other offices" (cities, other locations in the same city, etc.) could access files, databases, etc., without any vector out to the Internet? Wouldn't be that hard to create a disconnected network island "war room" in each office--disconnect some ports & buy new routers. The real issue ultimately becomes that you now might want to consider multiple such air-gappped networks (e.g. R&D, HR, Finance, etc.)

I have to assume that data breaches are much worse cost... This one has lost sales, lost goodwill, lawsuits, potential government fines (e.g. HR data), network design changes, etc. Even a $10 million air-gapped network would have been a bargain compared to this mess...

I'm still waiting for a massive Salesforce data breach... That'll be interesting when it happens.

Comment: $1tr question--Why is all this Internet-facing??? (Score 4, Informative) 528

by BUL2294 (#48528091) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought
With all the state-sponsored corporate & military espionage caused by China & Russia, with the never-ending probes from government agencies like the NSA/DHS/GCHQ/etc., with malware & ransomware attacks that can encrypt data in (generally) unbreakable forms, with criminal hacking organizations making off with millions of credit card numbers from retailers, with apparently no network controls as to how much data leaves company firewalls & where it goes, and so on, why aren't there more internal air-gapped networks in companies???

This has hit the point of absurdity. If you are working on military plane designs, working on your next corporate acquisition, or even making movies or music worth tens of millions of $$$, why would you put your prized, unreleased digital files on computers that have Internet access? What kind of batshit stupidity is that? What, so your employees can browse Facebook & check Outlook e-mail at the same time? Such an air-gapped network would easily become an island--one that doesn't need Windows Updates, can stay on an old service pack, gets no software updates that solves 2 problems and but makes a new one (e.g. we know the bugs), and the like. And if those employees really need their Outlook e-mail, IM, or the Inter-Webs where they work, they can have a 2nd very low-end PC, connected to the main network, with a KVM between the two. Might even increase efficiency, given the mind's inability to multitask well. Or give them freaking iPads on a wireless network that's not connected to their "sensitive" work computer.

It boggles the mind that given all these problems, which are increasing in frequency & cost every day, we still have little more than software firewalls & hardware routers between a company's most highly-sensitive assets (files & computers) and the big-bad-Wild-West-no-holds-barred-Internet.

Comment: Re:Ummm ... Duh? (Score 1) 165

And you know this, how??? We all know that it should happen this way, but we have no way of knowing for sure whether that's the case. If my IoT thermostat gets hacked & reprogrammed to burn my house down, which is connected to my IoT furnace, how do I know that the IoT furnace a) hasn't also been hacked, b) even has the requisite hardware you speak of?

Read up on the Therac-25 incidents of the 1980s... http://en.wikipedia.org/wiki/T...

+ - Prospects rise for a 2015 UN climate deal, but likely to be weak

Submitted by Anonymous Coward
An anonymous reader writes "A global deal to combat climate change in 2015 looks more likely after promises for action by China, the United States and the European Union, but any agreement will probably be too weak to halt rising temperatures. Delegates from almost 200 nations will meet in Lima, Peru, from Dec. 1-12 to work on the accord due in Paris in a year's time, also spurred by new scientific warnings about risks of floods, heatwaves, ocean acidification and rising seas. After failure to agree a sweeping U.N. treaty at a summit in Copenhagen in 2009, the easier but less ambitious aim now is a deal made up of 'nationally determined' plans to help reverse a 45 percent rise in greenhouse gas emissions since 1990."

+ - Win8.1 broken update redux - Severe problems with November Update

Submitted by BUL2294
BUL2294 (1081735) writes "Microsoft's latest update for Windows 8.1, KB3000850 / November Update has been causing a myriad of problems with certain programs. The difficulties are being discussed on Microsoft Community Support, Reddit, MSFN, Neowin, and ASKVG.

Looking over the forums, this update breaks Avast Antivirus (forum discussion) and Classic Shell (forum discussion). Problems with Avast are particularly acute and may impact System Restore. Other prevalent issues include the inability to sleep or shutdown, issues with Internet Explorer and Control Panel, and inability to boot into Safe Mode to roll back the update. Some users have indicated that they need to reinstall Windows 8.1 completely. At least Microsoft learned the error of their ways after the April & August updates, and has made KB3000850 optional (for now)..."

+ - Amnesty International Releases Tool to Combat Government Spyware

Submitted by Gordon_Shure_DOT_com
Gordon_Shure_DOT_com (3919347) writes "Human rights charity Amnesty International has released Detekt to tool which finds and removes known government spyware programs. Describing the free software as the first of its kind, Amnesty commissioned the tool from prominent German computer security researcher and open source advocate Claudio Guarnieri, aka 'nex'. While acknowledging that the only sure way to prevent governments surveillance of huge dragnets of individuals is legislation, Marek Marczynski of Amnesty nevertheless called the tool ( downloadable here ) a useful countermeasure versus spooks. According to the app's instructions, it operates similarly to popular malware or virus removal suites, though systems must be disconnected from the Internet prior to it scanning."

+ - Wells Fargo refuses to honor 30-year old CD because they can't find it->

Submitted by BUL2294
BUL2294 (1081735) writes "The Consumerist and KPHO-TV Phoenix are reporting the story of a widow who attempted to cash a Certificate of Deposit (CD) at Wells Fargo that had been issued to her late husband for just over $18,000 in 1984. She has been battling with them since 2009, after finding the CD among other paperwork, and a decision in the court case is expected in January. The CD was issued by First Interstate bank, which merged with Norwest, which was bought by Wells Fargo. Wells Fargo has no record of the CD, but the physical document itself mentions that it has to be surrendered to receive payment, or could have been paid out by signing an indemnity form--which they also do not have. In addition, there's a fight over whether the CD is worth $60,000 or $400,000, as the CD was self-renewing and was issued when interest rates were 10.9%.

Ultimately, this is a case of data getting lost within 30-years worth of mergers and system changes. Both the existence of this instrument and its terms are probably on some long-lost tape that may no longer be readable, or paper copies were shredded years ago. That being said, we entrust that our banks and regulators can dig up such historical information... So what happens when they can't? As was evidenced during the US mortgage crisis, banks are terrible at appropriate document retention, so how could they prove what was paid out and when? More importantly, how much of banks' historical / legacy accounts are complete guesses?"

Link to Original Source

+ - Wells Fargo refuses to honor a 30-year old CD because they can't find it

Submitted by BUL2294
BUL2294 (1081735) writes "Consumerist and KPHO-TV Phoenix are reporting on a story where a widow attempted to cash at Wells Fargo a Certificate of Deposit (CD) that was issued in 1984. She has been battling with them since 2009 and the case has gone to court. The CD was issued by First Interstate bank, which was bought by Norwest, which was bought by Wells Fargo. Wells Fargo has no record of the CD, but the physical document itself mentions that it has to be surrendered to receive payment. In addition, there's a fight over whether the CD is worth $60,000 or $400,000, as the CD was self-renewing.

Ultimately, this is a case of data getting lost within 30-years worth of mergers and system changes. Both the existence of this instrument and its terms are probably on some long-lost tape that may no longer be readable, or were shredded decades ago. That being said, we entrust that our banks and regulators can dig up this information historically... So what happens when they can't? More importantly, how much of banks' historical accounts are complete guesses?"

+ - After Silk Road 2, eyes turn to 'untouchable' decentralized market->

Submitted by apexcp
apexcp (931320) writes "

Following a wave of Dark Net arrests that brought down the famous anonymous drug market Silk Road 2.0, all eyes have turned to a marketplace called OpenBazaar that is designed to be impossible to shut down.

Described as the “next generation of uncensored trade” and a “safe untouchable marketplace,” OpenBazaar is fundamentally different from all the online black markets that have come before it, because it is completely decentralized. If authorities acted against OpenBazaar users, they could arrest individuals, but the network would survive.

"If you're thinking about OpenBazaar as Silk Road 3.0, you're thinking about it much too narrowly," Patterson said in an interview last night. "I actually think it's much more powerful as eCommerce 2.0."

"

Link to Original Source

No user-servicable parts inside. Refer to qualified service personnel.

Working...