I was in such shock to see Ed Shultz still on TV it didn't think too much about McAffee's statement. he said he was lying. I think we knew that,
But he had a reason to do it.
McAffees motto should be "Whose to blame? Hookers and cocaine!"
Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid
(The conventional wisdom is clearly wrong; this hack wasn't perpetrated by Putin & Co; it was obviously done by Bernie Sanders' campaign staff in an unauthorized data-trolling operation. More on that theory later when I'm sober.)
Good read LoanShark. Thanks for posting. I hate to think that sysadmins were the weak link here, but I suppose some of them can be co-opted to run a MS Word macro.
Paranoia, the destroyer.
Seems equally plausible that the attackers co-opted a normal user or plant operator level account first, and gradually escalated their privileges once they gained a toehold. They had plenty of time to do that - 6 months or so.
Why would they do that? Data encryption at rest is more important than ever.
I'd actually be far more interested in seeing device vendors set up a mode where the device tells your employer's email server "yeah yeah, you have permission to remote wipe the device etc. etc." but not actually do that.
For a lot of people, getting your work email on your phone requires accepting a device policy that gives the administrator of the email server permission to remote-wipe the device. And of course there are mobile device managers that can get even more heinous than that.
If device manufacturers truly cared about their customers, they would create a mode where it tells the email server that it was given permission to remote-wipe the device, but if such a request actually comes across, tells the server to go shit in its hat.
you should cosider that in case of device loss you may not want the finder be able to access your data.
*This* is why we can't have nice things.
Why would they do that? Data encryption at rest is more important
Oh, was this in response to the Amazon FireOS comment?
This article annoys me. The example provided just is a piss poor excuse for bad password changing policy. Which is used almost anywhere, I acknowledge.
Admin's should be way more demanding, 50% difference to all previous passwords, or something like that. I dunno how feasable that is with hashed and salted passwords, though.
In general, passwords should be at least 20 chars long and they must not contain a number. There are only 10 digits, why reduce your entropy on one char, if you could simply demand one char more and let the user choose it? People will use a 1 or their birthdate (visible on facebook) or some other stupid number.
On long term, we need to overcome passwords, there must be something smarter. My 30 char long passphrases are a nightmare on touchscreens to enter. And the more often you mistype, the easier it is for somebody to spy on your fingers.
The problem with passwords at all my clients is always the boss or the bosses. They choose the easiest and worst passwords ever, I even have one that uses 12345, another site uses a common 4 letter word for admin logins (and at the same time disable dhcp for security reasons, so the network is harder to hack *...). They always want to know the passwords of everyone else, so they can "log in to their computers, if needed." So passwords need to be stored on paper somewhere in the office, which then lands on the server as a scanned page. Or there is a password text file on the public share.
So, besides the xkcd hint, is there any good guide that a boss would understand for a password policy in the office?
* This disabling dhcp hack is a common security by obscurity trick, that would have stopped me for like 15 minutes when I was 14. In the age of ubiquitious internet, it does probably only stop the persons that want to use the network with good intentions.
Password complexity requirements make people write down their passwords (or store them in some unsecure location online) which completely ruins the whole objective.
And although all reasonable people understand that, the people who do security policy all seem to stick with complexity requirements because that's the current "standard" and no one wants to go out on a limb to buck it. Realistically, password policies should be like "contain a symbol or hieroglyphics *or* be more than 20 characters"
Subject: additional tags: #rants #workplace
It seems to be a common "best practice" by windows admins to disable DHCP as a layer of security, so that it "is harder to hack the network". Ok, I have only seen this at two clients side, but both of them share the following:
1. It is incredibly hard to do any normal admin work, like hooking up a new computer, replace a network device, etc. Because you need to put the MAC address on the whitelist and maybe add a distinct address to the host. The result is, people issue a hardwired IP in the device and forget to document that.
2. They use the worst passwords ever, enforce absolutely no password policy and users never have to change their passwords.
They use passwords like "pass" in the one place, for admin accounts. In the other place, there are local admin accounts on the machines with absolutely no password at all. And all the switches communicate with the "intelligent management console" via ... telnet. Logging in with the very same masterpassword... which is slightly identical to the domain admin password. Oh, and most important people share the very same simple password for all their computer accounts, "because we need to use the other persons computer a lot". (In a domain scenario, where you could login with your own account to the other computer. But people do not save files on the server, they use their own desktop, so..)
So, while I as an admin that only hooks up gear to the network have to jump through hoops and get to enjoy typing in hundreds of MAC adresses, the people with the most confidential data act like total retards and only need to memorize one utterly mongoloid password. Which is also a common term at the place, so it is easily guessable on top of all that.
Lesson learned: "Der Fisch fängt immer am Kopf an zu stinken." A german proverb, stating that the fish begins to smell from the head on, when it rots. In all places I have worked for, the more important the people or the files, the more stupid the passwords and the behavior. (Guess where the master password list is stored in clear text?!)
Subject: Re: additional tags: #rants #workplace
Disabling DHCP as a means of keeping away an intruder who has already gained access to the physical network is only going to slow them down by a tiny bit. They'll just sniff the wire for a minute or two to figure out its addressing scheme, and look for traffic on port 53 to learn the location of the DNS servers. In fact, a good attacker will do that even in the presence of a DHCP server, to avoid having any DHCP requests logged.
I haven't seen a lot of access networks having DHCP disabled as a security measure. What I do see often though, in a larger organization, is the Windows, Linux, and Network teams fighting over who gets to run the DHCP server, and gains the control it offers.
Hmm... such a big todo about security lately, what with all those breakins overseas.
Hospitals victims of ransomware... ugh...
Everyone knows about the 220.127.116.11 Google DNS server.
Now there's a new one at 18.104.22.168, called "Quad9 DNS" service, that checks all requests against IBM's "X-Force threat intelligence database" -- whatever that is.
And just like Google, IBM has managed to keep itself from laughing uncontrollably while claiming they wouldn't use DNS lookup data to snoop on users' privacy.
I'm more concerned about the 10.10.10.10 server. That one, somehow, has managed to gain access to my private network.
IG, IBM's "X-Force threat intelligence database" is the database that houses the intelligence and research performed by the IBM X-Force Research team, which is a highly respected commercial security research team. Much of their research is published on the X-Force Exchange, which is a "cloud-based threat intelligence sharing platform enabling users to rapidly research the latest security threats, aggregate actionable intelligence and collaborate with peers."
That second link is a blog run by that team's leadership, btw