BAE Systems Threat Research Blog: Two bytes to $951m

The next time anyone tells you that they have built a „Secure“ system, get them to read this article.

Source: BAE Systems Threat Research Blog: Two bytes to $951m

An unknown number of people with a lot of easily acquired knowledge, but not so common skills, developed and deployed a system of hacks to manipulate a „secure“ banking system to transfer almost a billion dollars to accounts unknown. A large amount of this money is now „accounted for“, whatever that means, while 81 Million Dollars are still missing. That looks like a pretty good return on investment if you’re not too worried about illegalities or you consider it just liberating the money from robber banks.

Of course, many will say „our security standards are better than those in Bangladesh“ but those people are just trying to reassure those who cannot, for whatever reason, understand the signals generated by this particular case.

An incredible number of systems rely on the key system-parts misused in this hack. I would not have believed it until I saw it, so many systems rely on reading and writing text files from some location, often a network share, and these files are easily manipulated if due attention is not paid to the security of those files.

Just last week I had an application development team who could not, or would not because of time constraints, understand why it was a bad idea to let a server inside the secure zone reach out to a server on the internet in order to automatically download some code. The number of ways in which their deployment scheme could be hacked into and misused was mind-boggling and yet, they considered it not only safe, but also perfectly normal. Someone is going to make a lot of money out of their overly relaxed attitude if they should draw the wrong kind of attention.


Why You Shouldn’t Be Hosting Public DNS | Postmodern Security

More than interesting take on the „we have to have full control of our DNS“ discussions found in many companies. There are of course many reasons why people inside the organisation will view moving DNS Services to some provider as wrong, such as job security but as more-and-more companies succumb to the „Cloud“ hype, the more relevant „Besides, as organizations continue to move their services to the cloud, why would you have the name resolution of those resources tied to some legacy, on-premise server?“ is going to become.

Quelle: Why You Shouldn’t Be Hosting Public DNS | Postmodern Security

» Database Corruption Worksheet: Steve Stedman

» Database Corruption Worksheet Steve Stedman.

I was going to write that I’vebeen very lucky in not having to deal with any corrupt MS SQL Server Databases until now but, given the rock solid MS SQL Server, it’s not unusual to never see any corruption.

If I ever *do* have to recover an MS SQL Server Database, I’d be looking to start with the Worksheet from Steve Stedman and go on to trawling his and Brent Ozar’s and Paul Randall’s other stuff for methods.

ITIL and the Grim Reaper

So, I came out of a meeting this morning where there was a large amount of ITIL type talk about „Tickets“, „Incidents“, „Changes“, „Emergency Changes“, and whether an Incident was documentation enough to mean not having to also create a(n emergency) Change Request“.

I went to the Ceramic Department afterwards and there I heard that Günther Grass had died so I started to wonder whether the grim Reaper did his job driven by „incidents“ (someone died, go deal with it) or „Changes“ (someone’s time has come, go and change the state from living to dead.) This led me to wonder, if, just if, this was a „change request“ scenario, whether that would require someone/-thing to approve the change and whether with an appropriate Lobby the Change could be rejected. I was left with a profound feeling of, well, if there is an afterlife, they’d better have their ITIL stuff together, because otherwise I’m going to get some relevant, inadequately documented, „changes“ revoked. Maybe starting with John Lennon’s shooting.

AlwaysOn Availability Groups Real-Life Lessons Learned (Video) – by Brent Ozar Unlimited®

„AlwaysOn“ and „High Availability Groups“ were among the features that sounded just *so* great when first announced. Unfortunately, as insanely great as they sound and can be, there’s a lot to think about and to watch out for. Here’s Brent Ozar’s entertaining (as always) look at „Real“ Life.

AlwaysOn Availability Groups Real-Life Lessons Learned (Video) –  by Brent Ozar Unlimited®. : If Carpenters Were Hired Like Programmers

I’m sure I posted this before but it keeps cropping up and I wanted to reformat it a little:

The following joke was posted to an internal Magenic list. I don’t know who actually wrote it, and I’ll give credit if someone points out the creator of the joke. It perfectly illustrates what I think developers (especially consultants) have to go through all the time when they’re interviewing for the next gig.


Interviewer: So, you’re a carpenter, are you?
Carpenter: That’s right, that’s what I do.

Interviewer: How long have you been doing it?
Carpenter: Ten years.

Interviewer: Great, that’s good. Now, I have a few technical questions to ask you to see if you’re a fit for our team. OK?
Carpenter: Sure, that’d be fine.

Interviewer: First of all, we’re working in a subdivision building a lot of brown houses. Have you built a lot of brown houses before?
Carpenter: Well, I’m a carpenter, so I build houses, and people pretty much paint them the way they want.

Interviewer: Yes, I understand that, but can you give me an idea of how much experience you have with brown? Roughly.
Carpenter: Gosh, I really don’t know. Once they’re built I don’t care what color they get painted. Maybe six months?

Interviewer: Six months? Well, we were looking for someone with a lot more brown experience, but let me ask you some more questions.
Carpenter: Well, OK, but paint is paint, you know.

Interviewer: Yes, well. What about walnut?
Carpenter: What about it?

Interviewer: Have you worked much with walnut?
Carpenter: Sure, walnut, pine, oak, mahogony — you name it.

Interviewer: But how many years of walnut do you have?
Carpenter: Gosh, I really don’t know — was I supposed to be counting the walnut?

Interviewer: Well, estimate for me.
Carpenter: OK, I’d say I have a year and a half of walnut.

Interviewer: Would you say you’re an entry level walnut guy or a walnut guru?
Carpenter: A walnut guru? What’s a walnut guru? Sure, I’ve used walnut.

Interviewer: But you’re not a walnut guru?
Carpenter: Well, I’m a carpenter, so I’ve worked with all kinds of wood, you know, and there are some differences, but I think if you’re a good carpenter …

Interviewer: Yes, yes, but we’re using Walnut, is that OK?
Carpenter: Walnut is fine! Whatever you want. I’m a carpenter.

Interviewer: What about black walnut?
Carpenter: What about it?

Interviewer: Well we’ve had some walnut carpenters in here, but come to find out they weren’t black walnut carpenters. Do you have black walnut experience?
Carpenter: Sure, a little. It’d be good to have more for my resume, I suppose.

Interviewer: OK. Hang on let me check off the box…
Carpenter: Go right ahead.

Interviewer: OK, one more thing for today. We’re using Rock 5.1 to bang nails with. Have you used Rock 5.1?
Carpenter: [Turning white…] Well, I know a lot of carpenters are starting to use rocks to bang nails with since Craftsman bought a quarry, but you know, to be honest I’ve had more luck with my nailgun. Or a hammer, for that matter. I find I hit my fingers too much with the rock, and my other hand hurts because the rock is so big.

Interviewer: But other companies are using rocks. Are you saying rocks don’t work?
Carpenter: No, I’m not saying rocks don’t work, exactly, it’s just that I think nail guns work better.

Interviewer: Well, our architects have all started using rocks, and they like it.
Carpenter: Well, sure they do, but I bang nails all day, and — well, look, I need the work, so I’m definitely willing to use rocks if you want. I try to keep an open mind.

Interviewer: OK, well we have a few other candidates we’re looking at, so we’ll let you know.
Carpenter: Well, thanks for your time. I enjoyed meeting you.



Interviewer: Hello?
Carpenter: Hello. Remember me, I’m the carpenter you interviewed for the black walnut job. Just wanted to touch base to see if you’ve made a decision.

Interviewer: Actually, we have. We liked your experience overall, but we decided to go with someone who has done a lot of work with brown.
Carpenter: Really, is that it? So I lost the job because I didn’t have enough brown?

Interviewer: Well, it was partly that, but partly we got the other fellow a lot cheaper.
Carpenter: Really — how much experience does he have?

Interviewer: Well, he’s not really a carpenter, he’s a car salesman — but he’s sold a lot of brown cars and he’s worked with walnut interiors.
Carpenter: [click]

A Few Thoughts on Cryptographic Engineering: Attack of the week: FREAK (or ‚factoring the NSA for fun and profit‘)

Hopefully the ridicule poured upon the UK’s Prime Minister, Cameron, regarding his desire to ban cryptography (or at least water it down) will have caused all parties to put their heads back on the right way round. Just in case any government is still planning such a move, here are a few words of caution to anyone willing to listen:

A Few Thoughts on Cryptographic Engineering: Attack of the week: FREAK (or ‚factoring the NSA for fun and profit‘).