Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment: Re:No, not "in other words" ... (Score 1) 287

by DarkOx (#48661337) Attached to: Hotel Group Asks FCC For Permission To Block Some Outside Wi-Fi

On the other hand there is only so much wireless spectrum available that is set aside for 802.11x. Ever been to big even in a hotel where eveybody and their brother has the hot spot function enabled on their phones, is caring around those mobile hot spot things, folks are running classes in conference with their own wireless AP setup for their students, etc.

Wireless gets pretty unusable for everyone pretty fast. I can understand how the hotel which has just charged 100s of their other guest $14 for Wifi in their rooms does want to hear all the complaints about how they are constantly getting disconnected and everything is dirt slow.

I don't know what the right answer is exactly but the for any hotel hosting a large event, the status quo isn't work so well.

Comment: Re:Because TEH ENTERPRISE (Score 3, Interesting) 287

by DarkOx (#48661235) Attached to: Hotel Group Asks FCC For Permission To Block Some Outside Wi-Fi

That and Cisco sells blocking of APs that are not your own as a feature of their WLC and Aironet equipment. If the FCC changes the rules I imagine they would not be able to release new firmwares and ISO images with the feature intact. A situation certain to irritate some customers who bought a lot of extra AP devices so they could support that functionality, and to create a situation where people won't apply updates and fixes as a result.

Comment: Re:Not a magic bullet... (Score 2) 71

by DarkOx (#48659875) Attached to: JP Morgan Breach Tied To Two-Factor Authentication Slip

Well, sure if someone finds an RCE all bets or off. Its also as you say true that at the network layer in many (probably most cases) the authentication is the same. Two factor on Windows networks is a great example, it does little to stop pass the hash attacks, for example. Internal threats will always be a problems because they have access to lots of intelligence about the target and they have access to a large attack surface.

On the other hand two fact is a very strong control against external threats. Most orgs, even large ones now days can get their attack surface down to handfuls of web servers and vpn devices. Its mostly true that web servers themselves are relatively well hardened now days. While Apache still provides us a with the DOS attack vector of the week, I have not seen an Apache specific RCE in a long time; ditto for IIS although it looks like one *might* have been possible before the recent schannel patches. So that leaves all the vulns in the application frameworks and applications themselves to exploit.

Basic advice:

Separate your DMZs one for your home page public information, rule 0 of your firewall policy separating your internal organization from those hosts is allow only inbound {inside} -> {dmz} connections for content pushes / management. Never allow those hosts to open a socket to the inside themselves, ever. Rule 1 is the inside is only allowed to connect on handfull of specific ports that you IPS/IDS the hell outa.

You next DMZ is where you handle accounts, shopping carts, etc. That one obviously is going to have to have some well defined communication with the inside, but rule 0 here is none of the external services are un-authenticated. The only thing anyone should be able to get here without authenticating is the authentication prompt. If you can manage to code up a login page / prompt without introducing a major vulnerability you'll probably be okay; or if you are ow3d post authentication you know who you can sue.

Comment: Vigilantes? (Score 1) 359

by DarkOx (#48655001) Attached to: North Korean Internet Is Down

Seems the the State Department could just get various friendlies to start announcing DPRKs prefixes from all over the places in BGP and pretty much nullify their ability to use the Internet.

Also given the attack did not originate from DPRK but is simply suspected sponsored by DPRK, this does not seem like it would be an effective response.

Comment: Re: Best pick up one of these (Score 1) 89

The protocol needs to start over clear voice, but than you do the equivalent of "STARTTLS" and see if the remote end answers. If it does you disable squelch and start applying the cipher to the payload in the audio packets as you build them, leaving the containers format in place, headers, sync bytes etc.

As far as the network is concerned it will still look like parametrized g.729 audio to the network. It will just decode as noise unless you possess the cipher. Which will be much more economical for most wireless customers until the carriers wise up and realize they ought to be metering the jitter controlled, packet loss intolerant voice traffic on their networks and selling best effort data as all your can eat, rather than the other way around.

Comment: Re:SMB, eh? (Score 2) 177

by DarkOx (#48640923) Attached to: Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

I don't even bother "compromising" an initial host on many engagements when the engagement has me to go on site. Its trivially easy to tailgate your way onto most corporate campuses; and set yourself up in an empty conference room.

Then you wait for LLMNR or NetBIOS/tcp messages on your subnet; which nobody disables, ever. Then you just collect the hashes for a while. No need even to mess around with PTH half the time, more often than not hashcat can crack at least one before you finish your first soda and you have your foot hold.

Comment: Re:Sony security: strong or weak? (Score 2) 339

You do have to cut them a little slack, here. If we were talking about a coal mining company or something and terabytes of data going out the door would be pretty unusual, and SEIM systems would be trained to flag that sort of thing.

This is Sony Pictures, though, terabytes probably go out the door all the time. I mean that might be less than a few hours of uncompressed video going to a contractor for post processing or something.

No my bigger question having done this kind of thing for a living now for some time is why would a basically purely IP organization not have effective controls in place, to know what kind of data is going out the door and to put a hard stop to it the moment something that should not be there is spotted.

Ok you can't maybe do that with the aforementioned video data, but you certainly can watch for byte patterns that look like address, SS numbers, e-mails in usually great quantity etc on the wire.

You certainly do not allow anything encrypted to go out unless you MITM it. Could an attacker do something like slap some mpeg headers on top a big encrypted data stream? probably, but they'd have to know to do it.

  If my entire world was IP like Sony Pictures id probably take it a few steps further make sure my firewall devices knew the common container formats for various media types and continued to make sure sync bytes and frame markers occur where they ought to, anytime more than a hanful of megabytes of something I can't recognize flowed it would alert and some form the CERT team would pick up the phone a call whoever it was associated with that source IP. No attribution shut it down, no explanation shut it down.

The hardware and software to do this is commercially available, more or less off the shelf and has been for at least five or seven years now.


Comment: Re:BS (Score 1) 339

No hack would ever result in that kind of control


Lets face it the reality is lots and lots of BIG companies use things like Active Directory. Lots of this BIG companies might even have only a tiny handful of Enterprise Admins, who may even be very good at what they do. Chances are they have centralized and integrated the authentication against AD. Its not uncommon for Network infrastructure administrative interfaces to use an authentication gateway like say NPS (RAIDUS for AD).

So if you could get that Enterprise Admin access, well it might be a house cards from there. Given the recently published MS14-068 it might not even be that hard:

So if you can get your foot in the door, however you do it just grabbing some tools off git hub and few blogs can get you near total ownage without having to do much of anything in the way of exploit development on your own. Consider this vuln was an off cycle patch put out in November, think there ~4 weeks on there are some big orgs that have lead times to get Windows patches applied to DCs longer than that? I would bet so, think an org like Sony stands a chance against a vuln like that when its an unpublished zero day? So get any access to the network at all, brute force one password for basically any user account crack a hash sniffed off the wire etc, and boom your a member of any windows groups you want!

Frankly I would not be surprised given the timing if MS14-068 was involved in the breach and I would not be surprised to hear of other major compromises thru leveraging it.

Comment: Re: Best pick up one of these (Score 1) 89

I did not give them a back door either. I you can check the thumbprints of the certs are not changing or not trust any third party CA's if that what YOU want to do under my scheme. For most folks that won't be practical, we will want to be able to call people and organizations we have never been in a position with to safely exchange keys; so just like on the web we will have to trust some third parties.

By making it easy to exchange certs directly with people you do meet in person you remove the CA chain from that point on and encourage the system in a way third parties can't compromise unless the cryptography is eventually broken. Nobody not a LEA or anyone else than has the capability to MITM calls between your devices from that point, provided they don't hack your phone somehow and change your settings modify your cert store etc.

My acceptable compromise isn't really with the LEAs but more with reality. You can't very well use a third parties network without them being able to identify the end points, TOR even if it was untraceable and its not would not be practical for a wireless voice network. My proposal has the benefit of being possible to implement with out replacing the existing cellular and telephone network infrastructure. You just need handsets that no how to negotiate with each other. In that sense its plausable that it could actually get off the ground because as we all know expecting AT&T or VZW to do anything ever without first bending over for the spooks is a non starter.

So AC and Mods who marked my post flamebate for some reason let me ask you?

[1] Do you have a better technical solution?
[2] Does your solution work without requiring the carriers to spend billions radically altering/upgrading their infrastructure
[3] Can your proposal somehow conceal which endpoints calls are between?
[4] Can your proposal somehow conceal the duration of the call, beyond padding it out for some additional period?
[5] Can your solution easily inter-operate on with existing endpoints?

Comment: Re:North Korea has proved something. (Score 1) 220

by DarkOx (#48634555) Attached to: Hackers' Shutdown of 'The Interview' Confirms Coding Is a Superpower

congratulations you have just invented privateIP MPLS service.

Someone should tell ALL the major TELCOs about this, and anyone who has ever want to build a WAN link between more than two sides in the last 15 years, needing anything better than best effort service.

Comment: Re:Screw them (Score 1) 220

by DarkOx (#48634449) Attached to: Hackers' Shutdown of 'The Interview' Confirms Coding Is a Superpower

Yea Sony might as well pack up and go home until this thing is resolved. There isn't a lot they can do.

The U.S. on the other hand should recognize this for what it is. An act of war. Once the possibility of real physical violence and attacks were introduced it was no longer an attack on Sony Pictures but on society as a whole.

Its time for Government to step up and actually do one of the very few things its actually charged with doing, provide for the common defense! We now have a situation where a foreign actor is assaulting our citizens (putting in fear) and by extension infringing their rights of free expression.

What concerns me is that 0bama is figuring out a "proportional response" you don't "proportionally" respond to an act of war. This situation calls for a very disproportionate response.

We should do something like smart bomb Kim's palace. It would minimally impact the innocent citizens of the DPRK while sending the message acts of aggression will not be tolerated and will be met with swift and brutal reprisal against YOU, not your nation, not your people YOU. That is something a despot can understand and might actually fear. If we really luck he dies in the attack.

The Chinese need to be TOLD to just sit tight, lest they be considered conspirators in this attack against us.

Comment: Re:Screw them (Score 2) 220

by DarkOx (#48634241) Attached to: Hackers' Shutdown of 'The Interview' Confirms Coding Is a Superpower

And that isn't really an option either. Sony lost lots of HR and other PII data. If you work at Sony pictures there is a good chance the "GOP" knows where you live.

If Sony releases it at all and there any attack on its own employees they might also open themselves up to lawsuits for negligence. To say nothing of the fact that they might loose their best talent due to people being afraid working their makes them a target.

Slowly and surely the unix crept up on the Nintendo user ...