Please create an account to participate in the Slashdot moderation system


Forgot your password?

Submission + - OPM hack included fingerprints (

schwit1 writes: The Office of Personnel Management announced last week that the personal data for 21.5 million people had been stolen. But for national security professionals and cybersecurity experts, the more troubling issue is the theft of 1.1 million fingerprints.

Much of their concern rests with the permanent nature of fingerprints and the uncertainty about just how the hackers intend to use them. Unlike a Social Security number, address, or password, fingerprints cannot be changedâ"once they are hacked, they're hacked for good. And government officials have less understanding about what adversaries could do or want to do with fingerprints, a knowledge gap that undergirds just how frightening many view the mass lifting of them from OPM.

"It's probably the biggest counterintelligence threat in my lifetime," said Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency and now an executive vice president at the cybersecurity company Darktrace. "There's no situation we've had like this before, the compromise of our fingerprints. And it doesn't have any easy remedy or fix in the world of intelligence."

Comment Re: Citizen, I notice your resistance (Score 1) 74

I agree that everyone has something to hide, just as everyone is a target of 'cyber' attacks. However, while I have not yet read the full bill and the linked article is a bit sparse on actual fact, sharing attack data would be tremendously helpful. If private companies are able to share STIX/IOC's (with information deemed private stripped out) that information would be very useful. While I worked for an Amazon sub, we couldn't even get attack data amoungst companies that were, essentially the same. Currently if you were to ask your biggest competitor to share data, you will get a 'No, thanks' at best. Most of this seems to be from lawyers/compliance people that seem to think sharing the data will make the sky fall. There are some private companies attempting to do this but the solutions are immature and not really ready for any sort of meaningful exchange. Facebook is doing their Intel sharing but it hasn't gotten off the ground yet.

I would agree that the government is probably not the best clearing house for true threat data. Look at infraguard & cert, sure they send out useful data but it's usually late and if you want the really interesting bits, you need a clearance (which working at a private company is practically a non-starter). The security industry needs to figure this out for itself before the fed steps in and makes it the same black hole sharing data with them currently is.

Comment Re: Tricky question (Score 2) 205

Sadly this is too true. A lot of the shops out there don't understand mitigating controls or 'we tweaked a configuration so we aren't vulnerable, despite what the banner says and here's output from us actually using the exploit....see not vulnerable'. That's one of the major issues I have with PCI, it's far to common for the auditors to not understand the context of the controls, let alone how the network is configured. I remember having to argue with an auditor about how umask worked and sudo.

When we evaluate third party companies we request the most recent pentest report (depending on the data being shared) and most of what we get back is simply screenshots from some vuln scanner and clearly it says Apache so it must be vulnerable. I would love for the end customers to be more educated on what the deliverables should be for a pentest.

Comment Re:NMAP (Score 5, Informative) 205

And this is why there are a ton of shitty 'pentesters' out there who seem to mistake running nessus or nmap scripts as a penetration test. No, it's not 'secret' knowledge and can easily be learned if want to spend the time but running metasploit doesn't make you a pentester.

Like defenders, pentesters generally need to find all the vulnerabilities (sadly many customers accept the first one which ends up being a scoping issue) and understand how to mitigate anything that was discovered/exploited. That requires an understanding of protocols, networking, applications, web frameworks, etc.. I have found that the best tend to have the capacity to think maliciously. IMO, that is a critical skill. I have seen far too many people that just don't understand why anyone would want to abuse a protocol, which makes them substandard pentesters.

As for the original question, there are plenty of tools out there that can help you learn. Metasploitable, WebGoat, Kali, SamuraiWTF (disclosure, I am good friends with the lead for that), ZAP, Burp Suite (pro is great and super reasonable). If you have corporate funding, there are some decent trainings out there Offensive Security has their classes (and certs, I have heard mixed results). There is also SANS, which I have been increasing disappointed with but if you want a bunch of knowledge shoved in your head (at a pretty high dollar cost), they tend to do it. Also, some drift more towards network pentesting or application, personally, I think people should be versed in both (leveraging a remote code execution bug in a webserver is great unless you have no clue what to do within the OS).

For cheaper options there are bunch of books that can teach you a ton of 'tips and tricks' around pentesting (web Hackers Handbook 2nd Edition is particularly good). Having a solid background as a sysadmin makes it much easier IMO (my background is similar), since you are most likely familiar with troubleshooting, networking, multiple OS's and what not.

Comment Somewhat Related (Score 2) 320

Say you work for company, which gets compromised and data is exfiltrated out of the network to a known source (the attacker used scp so the ip address, username and password are left within bash history or some other bash log). You find it within minutes or before the scp is completed. How do people feel about logging into the machine the data is being exfiltrated to and erasing it from the remote server?
Even if the 3rd party box is one they popped and not the attackers true machine, your not damaging the machine, network, etc., you are just removing 'unauthorized data' (granted, it may be a very fine line).

Comment Perhaps it would have been useful (Score 1) 574

We have other venues such as the chromium-discuss mailing list and our feedback forums where it is appropriate to share your opinions. The forums are a place where we are set up to track user feedback and surface the most critical issues to the team without impacting the productivity of us developers who are busy trying to make Chrome work better.

Maybe it would have been useful for to actual link to the forums (perhaps one specifically for UI/Design issues...) or the mailing list instead of just the slightly snarky comments.

Comment Re:It's legal for foreign money to be spent lobbyi (Score 2, Interesting) 183

I think the greater point is that corruption doesn't always look like corruption. Other countries have helped mitigate this problem, but I seriously doubt the public knows about even a fraction of how often this happens on a global scale. Especially given how many countries are not open books when it comes to these sort of things. Not to mention the rampant corruption organized crime helps create. While a bribe is always a bribe, a bride doesn't always look like one.

The companies that offer bribes also need to be punished for doing so. The US enacted the Foreign Corrupt Practices Act ( to combat this problem but few companies ever get more than a slap on the wrist and a wink & nod. Both sides need to realize that offering or accepting a bribe is something that can cost them more than just a few dollars (or whatever the currency).

Now for the obligatory wiki link:
The global costs are quite large.

Comment Re:Since customers can override the system.... (Score 2, Interesting) 393

Just thinking about this briefly, I can think of at least one concern (though not directly related to privacy). Power companies (at least in the US) have shown that they are unable to secure their infrastructure. So allowing them to 'control' your settings *might* be allowing an attacker to do the same (or worse).

Timmy O'Riley By L. Hadron and the Colliders 62

Making music has never been quite this awesome! Using only ThinkGeek products (Bliptronic 5000, Guitar Shirt, Drumkit Shirt, Stylophone, and Otamatone Electronic Instrument) the ultra-geeks over at ThinkGeek have created this ultra-cool cover of The Who's Baba O'Reilly. This also qualifies as a full blown shameless plug since ThinkGeek shares a corporate overlord with Slashdot.

Lack of Manpower May Kill VLC For Mac 398

plasmacutter writes "The Video Lan dev team has recently come forward with a notice that the number of active developers for the project's MacOS X releases has dropped to zero, prompting a halt in the release schedule. There is now a disturbing possibility that support for Mac will be dropped as of 1.1.0. As the most versatile and user-friendly solution for bridging the video compatibility gap between OS X and windows, this will be a terrible loss for the Mac community. There is still hope, however, if the right volunteers come forward."

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (7) Well, it's an excellent idea, but it would make the compilers too hard to write.