Posts by Matthew Poole
Last ←Newer Page 1 2 3 4 5 Older→ First
-
OnPoint: MSD's Leaky Servers, in reply to Russell Clarke,
I’m picking there will be pressure to be seen to be actually Doing Something.
The best bit is that the specific recommendations from Deloitte will probably be withheld on the grounds that their release would jeopardise the security of the MSD network going forward. Be seen to be Doing Something? HAH!
-
OnPoint: MSD's Leaky Servers, in reply to Lilith __,
And AFAIK there’s no way to find out
There are ways, though only the what to an extent, and very, very little who. Daniel Ayers, who specialises in computer forensics and has been asked in the media about this, has said that he considers my "nuke it from orbit" (love that phrase) approach isn't necessary. As the guy who set up the part of Deloitte that will be doing the investigation he's got some authority.
He says, and he's right, that the kiosks will contain at least some evidence if they've been used to jump off into the network. What he hasn't said is that there are 700 kiosks, every one of which would need to be examined in a process that can take weeks for a single machine, and that some of them may have been replaced in the intervening two years which would have rendered any possible evidence unreachable.As Sacha says, it's a balancing act. Extensive forensic examination of 700 machines will be expensive, though if all the kiosks are the originals and the examination comes back clear it'll have been cheaper than breaking out the ICBMs. If, however, it finds evidence of misdeeds, the ICBMs come back into play and their cost will be on the back of that examination.
-
OnPoint: MSD's Leaky Servers, in reply to Russell Clarke,
everyone’s banging on like they do know
As one of the "everyone" you're talking about, I hope I haven't posited that I "do know" what happened. I know what could have happened based on what I know did happen and other things I know generally, but I've tried not to imply that my proposition is anything other than a worst-case scenario.
-
OnPoint: MSD's Leaky Servers, in reply to Sacha,
Indeed. Which then requires allowing people to access their USB drives. Dumb, dumber, dumbest. Letting people access cloud storage means USB storage can be completely disabled, improving security significantly.
-
OnPoint: MSD's Leaky Servers, in reply to Richard Aston,
Trying to lock down WIN95 ( yes that far back) was a nightmare only solved by alternative OSs .
Whereas these days Win7 is actually pretty robust. Win95 wasn’t even a proper multi-user OS, which was a huge part of the problems you would’ve faced.
As Paul Craig demonstrates real security for kiosks is pretty much impossible, which is why they should never be connected to the corporate network. In WINZ’s case, though, they were really just offering internet access to allow people to view job listings and print off CVs. That can be easily accomplished with Windows and a decent firewall to restrict the sites that can be accessed. Oh, and not connecting them into the corporate LAN, of course. If the only machines on that side of the firewall are other kiosks the risks are limited to people installing key-loggers to try and pick up logins for Google Docs. -
OnPoint: MSD's Leaky Servers, in reply to Sacha,
The first comment could’ve been written by Paula’s office.
Facts first (and I know facts are an unnecessary burden on a journo) but Ira Bailey was the person who accessed the data – not Keith Ng. Second; fact Ira has IT credentials. Oh and third incovenient fact, Ira is a recognised leftist and activist.
And, yes, I know that's what I deserve for reading the comments.
-
OnPoint: MSD's Leaky Servers, in reply to Sacha,
the kind of person whose default first question about any new thing is “how would I break that?”
that’s a software tester. :)
Or a small child who has just been given a hammer. I'm seeing some similarities :P
-
OnPoint: MSD's Leaky Servers, in reply to Lucy Stewart,
The difference between them and hackers is basically the self-control to not follow through unless they’ve been asked to.
Not even that much. The phrase "grey hat" exists for a reason: they skirt the boundaries of being a black hat while being ostensibly a white-hat. I know more grey-hat testers than I do white-hat ones, TBH, though they're largely not malicious in their law-breaking. It's more that to really test their skills or prove their theories they cannot just rely on clients presenting the appropriate opportunities, so they have to edge across into the illegal realms.
-
OnPoint: MSD's Leaky Servers, in reply to Russell Clarke,
The vulnerability may have existed for 2 years but that doesn’t mean that people have been taking advantage of it since then. Or ever
Not taking drastic action to assure security would be adopting a very hopeful attitude towards reality. Examining 700 kiosks (and that's assuming that none have been replaced) for confirmation that nothing untoward has happened is a huge job, and they only have to find one kiosk that's been used to leap all the way into the network to shatter that hopeful attitude. Once someone's got in the kiosk won't necessarily have the evidence of what's been done,so the examination will have to continue on the other kiosks as well as going deeper into the network to look for what else has been done.
-
OnPoint: MSD's Leaky Servers, in reply to Jimmy Southgate,
wouldn’t you want to know that the people you are hiring to assess your security are capable of breaking stuff like what you’re trying to deploy?
I know a couple of the security testers who work for DiData, and they enjoy breaking into computers. They're some of the luckiest people I know, because they get to do something that's a hobby and get paid for it. They're not so thrilled on the paperwork side of things, but when you're getting paid six figures a year to break stuff you have to take the shit with the smooth. And because they enjoy it, they're strongly inclined to keep figuring out new ways to do things. Some of them even have esoteric hobbies, like Paul Craig's fascination with cracking kiosks, and those hobbies carry have direct application to their testing.