Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment: Sayy Whaaat! (Score 2) 145

by DarkOx (#48676053) Attached to: Crowds (and Pirates) Flock To 'The Interview'

You mean to say there were problems with radically altering the release plans for a major motion picture at the last moment!

Trying to do a for rent feature on kernel, which correct me if I am wrong normally just provides users with some code to redeem their move on some other VOD providers site, on short notice meant software issues and implementation holes is no surprise.

Now if Sony had been planing from the begging to make the Interview the first major direct to VOD feature release, we might have story. All we have here is "there were problems with a rush job".

Honestly I think the fact the mostly people seem to be able to pay their money and watch the file issue free speaks pretty highly of the folks that put it all together so quickly.

Its a little surprising that risked doing a seetheinterview.com and actually "screening" the movie there rather than just having a bunch pointers to youtrube, amazon prime, xbox-live, playstation network; in other words the folks that have been doing this for a while.

Comment: Re:They're assholes. (Score 4, Insightful) 317

by DarkOx (#48675625) Attached to: Why Lizard Squad Took Down PSN and Xbox Live On Christmas Day

This is true, but the issue is that is dumb! You really should be able to unbox a toy on Christmas morning have it work without going out the Internet and connecting to some account.

Maybe not all the functionality can be there, but functions that don't naturally require network access should not require network access.

Comment: Re:They're assholes. (Score 5, Insightful) 317

by DarkOx (#48675227) Attached to: Why Lizard Squad Took Down PSN and Xbox Live On Christmas Day

I think at least some blame does need to be lay at the feat of Sony and Microsoft here, but not because of 'network security' but rather creating the risk in the first place where there does not need to be one.

This was basically a DDOS attack. By and large those are difficult to defend, and the usual defense is just having over whelming resources. Should everyone just go an 90% under subscribe systems just to make the DDOS proof? I don't know does not see practical.

Why do these systems need network access to play a game bought on a disk? That is the bigger question, sure I can understand only supporting multiplayer through a centralized service, my issue is with the activation and phone home crap. There is no "good" reason someone should not be able to use these things without network access for single player experiences.

Customers out realize that the system is brittle because Sony and Microsft created a hard dependency where there never needed to be one. It might not be their fault they are attacked, but they do know or should have know they are targets. Hopefully the lession they take away from this is that basic functionality should be there if you have the system and game disk fresh out of box. Maybe you can't update, download new content, do multiplayer but folks ought to be able to at least play with it even if the network is down.

That way the scope of these little disasters would be limited.

Comment: Re:No, not "in other words" ... (Score 1) 291

by DarkOx (#48661337) Attached to: Hotel Group Asks FCC For Permission To Block Some Outside Wi-Fi

On the other hand there is only so much wireless spectrum available that is set aside for 802.11x. Ever been to big even in a hotel where eveybody and their brother has the hot spot function enabled on their phones, is caring around those mobile hot spot things, folks are running classes in conference with their own wireless AP setup for their students, etc.

Wireless gets pretty unusable for everyone pretty fast. I can understand how the hotel which has just charged 100s of their other guest $14 for Wifi in their rooms does want to hear all the complaints about how they are constantly getting disconnected and everything is dirt slow.

I don't know what the right answer is exactly but the for any hotel hosting a large event, the status quo isn't work so well.

Comment: Re:Because TEH ENTERPRISE (Score 3, Interesting) 291

by DarkOx (#48661235) Attached to: Hotel Group Asks FCC For Permission To Block Some Outside Wi-Fi

That and Cisco sells blocking of APs that are not your own as a feature of their WLC and Aironet equipment. If the FCC changes the rules I imagine they would not be able to release new firmwares and ISO images with the feature intact. A situation certain to irritate some customers who bought a lot of extra AP devices so they could support that functionality, and to create a situation where people won't apply updates and fixes as a result.

Comment: Re:Not a magic bullet... (Score 2) 71

by DarkOx (#48659875) Attached to: JP Morgan Breach Tied To Two-Factor Authentication Slip

Well, sure if someone finds an RCE all bets or off. Its also as you say true that at the network layer in many (probably most cases) the authentication is the same. Two factor on Windows networks is a great example, it does little to stop pass the hash attacks, for example. Internal threats will always be a problems because they have access to lots of intelligence about the target and they have access to a large attack surface.

On the other hand two fact is a very strong control against external threats. Most orgs, even large ones now days can get their attack surface down to handfuls of web servers and vpn devices. Its mostly true that web servers themselves are relatively well hardened now days. While Apache still provides us a with the DOS attack vector of the week, I have not seen an Apache specific RCE in a long time; ditto for IIS although it looks like one *might* have been possible before the recent schannel patches. So that leaves all the vulns in the application frameworks and applications themselves to exploit.

Basic advice:

Separate your DMZs one for your home page public information, rule 0 of your firewall policy separating your internal organization from those hosts is allow only inbound {inside} -> {dmz} connections for content pushes / management. Never allow those hosts to open a socket to the inside themselves, ever. Rule 1 is the inside is only allowed to connect on handfull of specific ports that you IPS/IDS the hell outa.

You next DMZ is where you handle accounts, shopping carts, etc. That one obviously is going to have to have some well defined communication with the inside, but rule 0 here is none of the external services are un-authenticated. The only thing anyone should be able to get here without authenticating is the authentication prompt. If you can manage to code up a login page / prompt without introducing a major vulnerability you'll probably be okay; or if you are ow3d post authentication you know who you can sue.

Comment: Vigilantes? (Score 1) 360

by DarkOx (#48655001) Attached to: North Korean Internet Is Down

Seems the the State Department could just get various friendlies to start announcing DPRKs prefixes from all over the places in BGP and pretty much nullify their ability to use the Internet.

Also given the attack did not originate from DPRK but is simply suspected sponsored by DPRK, this does not seem like it would be an effective response.

Comment: Re: Best pick up one of these (Score 1) 89

The protocol needs to start over clear voice, but than you do the equivalent of "STARTTLS" and see if the remote end answers. If it does you disable squelch and start applying the cipher to the payload in the audio packets as you build them, leaving the containers format in place, headers, sync bytes etc.

As far as the network is concerned it will still look like parametrized g.729 audio to the network. It will just decode as noise unless you possess the cipher. Which will be much more economical for most wireless customers until the carriers wise up and realize they ought to be metering the jitter controlled, packet loss intolerant voice traffic on their networks and selling best effort data as all your can eat, rather than the other way around.

Comment: Re:SMB, eh? (Score 2) 177

by DarkOx (#48640923) Attached to: Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

I don't even bother "compromising" an initial host on many engagements when the engagement has me to go on site. Its trivially easy to tailgate your way onto most corporate campuses; and set yourself up in an empty conference room.

Then you wait for LLMNR or NetBIOS/tcp messages on your subnet; which nobody disables, ever. Then you just collect the hashes for a while. No need even to mess around with PTH half the time, more often than not hashcat can crack at least one before you finish your first soda and you have your foot hold.

Comment: Re:Sony security: strong or weak? (Score 2) 340

You do have to cut them a little slack, here. If we were talking about a coal mining company or something and terabytes of data going out the door would be pretty unusual, and SEIM systems would be trained to flag that sort of thing.

This is Sony Pictures, though, terabytes probably go out the door all the time. I mean that might be less than a few hours of uncompressed video going to a contractor for post processing or something.

No my bigger question having done this kind of thing for a living now for some time is why would a basically purely IP organization not have effective controls in place, to know what kind of data is going out the door and to put a hard stop to it the moment something that should not be there is spotted.

Ok you can't maybe do that with the aforementioned video data, but you certainly can watch for byte patterns that look like address, SS numbers, e-mails in usually great quantity etc on the wire.

You certainly do not allow anything encrypted to go out unless you MITM it. Could an attacker do something like slap some mpeg headers on top a big encrypted data stream? probably, but they'd have to know to do it.

  If my entire world was IP like Sony Pictures id probably take it a few steps further make sure my firewall devices knew the common container formats for various media types and continued to make sure sync bytes and frame markers occur where they ought to, anytime more than a hanful of megabytes of something I can't recognize flowed it would alert and some form the CERT team would pick up the phone a call whoever it was associated with that source IP. No attribution shut it down, no explanation shut it down.

The hardware and software to do this is commercially available, more or less off the shelf and has been for at least five or seven years now.

   

Comment: Re:BS (Score 1) 340

No hack would ever result in that kind of control

Disagree.

Lets face it the reality is lots and lots of BIG companies use things like Active Directory. Lots of this BIG companies might even have only a tiny handful of Enterprise Admins, who may even be very good at what they do. Chances are they have centralized and integrated the authentication against AD. Its not uncommon for Network infrastructure administrative interfaces to use an authentication gateway like say NPS (RAIDUS for AD).

So if you could get that Enterprise Admin access, well it might be a house cards from there. Given the recently published MS14-068 it might not even be that hard: https://www.trustedsec.com/dec...

So if you can get your foot in the door, however you do it just grabbing some tools off git hub and few blogs can get you near total ownage without having to do much of anything in the way of exploit development on your own. Consider this vuln was an off cycle patch put out in November, think there ~4 weeks on there are some big orgs that have lead times to get Windows patches applied to DCs longer than that? I would bet so, think an org like Sony stands a chance against a vuln like that when its an unpublished zero day? So get any access to the network at all, brute force one password for basically any user account crack a hash sniffed off the wire etc, and boom your a member of any windows groups you want!

Frankly I would not be surprised given the timing if MS14-068 was involved in the breach and I would not be surprised to hear of other major compromises thru leveraging it.

When a Banker jumps out of a window, jump after him--that's where the money is. -- Robespierre

Working...