An eye opening lesson in IT security

Probably still plenty of crims and terrorists who haven't figured out how to use tor.

Like these ones: http://www.nytimes.com/2013/05/10/ny...anted=all&_r=0

I'd guess that any traffic going to or from a tor node would be considered interesting by nature, not to mention they could flag the fact that someone was using tor in the first place.

They vary a lot, I do a bit of expert witness work in the area of "how the hell did this tulip get to where it is now and who do be blame then sue ?"

I get to talk to in-house security at large firms, some of which are household names and their security varies from the impressive to the tragic.

I've just done a piece of trends in the job market for TheRegister.com and a corollary to my understanding of the way top management want security to work is that the number of holes will increase.

In the good old days like 2010 you had servers which you defended with dogs and guns, PCs which you never really trusted and some vaguely rigorous of assignment of access to various grades and type of users.

The web made relatively little difference to this, web servers were designed to give specific access to outside end users who had simple well defined access rights.

Note I say "designed to", we can all share cases where design did not equal implementation.


Now, the fashion is to give "partners" more access to internal data (ie letting suppliers see your stock levels, customers see more about order processing, etc up to and including API access to the core databases of corporate systems.

In other words "the business" part of firms, including household names wants to give access rights to outsiders that previously wasn't freely given to internal staff.

None of that is impossible, nor is it hard.

What is hard is doing it right and knowing that you've done it right.

That's why it's on my "learn this crap to get more money" list, since it ticks all the boxes of a skill to get on your CV, demand from the people who control the money, visible productivity, lots of different systems to make work together, and needs a lot of work to get right.

The chaps I have been working with were of the opinion that most companies take months not weeks to find an exploit. Thats before they even deal with the consequences. If you own IP that defines your business, then months is a long time for a guy to be file dumping your servers.

As for knowing your stuff: The unfortunate trend to finding the cheapest guy for the job has made matters worse I got to a point where rockstar server admin skills were worth nothing compared to writing a pointless doc and watching some newb completely mangle your design with slap dash wide open OS installs and rhost files full of trust all...

Add into the chaos poorly written code by guys that don't get what they are doing it becomes easy pickings...

I am yet to meet a security team that actually understand what they are supposed to do. For the most they are firewall managers at best

The security team I chatted with were one who told the CIO to f*** off when he wanted to get everyone to use dropbox to share sensitive data. They suggested that cutting out the middle man and posting directly to wikileaks would save a lot of effort.

Anyone developed paranoidlinux yet?

That of course is why IT people get outsourced.

The CIO wants to do some crɑp like this and gets stopped, so he hires some "security consultants" from one of the big accountancy firms, or worse still Capita or whatever who charge a packet and then either tell him what he wants to hear or sell a "solution" that is even less secure.

A big problem with security is that for any given hole, the worst usually does not happen.

So that means he can pull this stunt several times, in-house security say "no", the consultants demonstrate a "can-do business attitude" and one day you come in and find you have a new employer, or that you're out of work and been replaced by some UK based frontmen backed up by Indians.

However you may feel that as a hybrid headhunter/journalist that I am by nature too cynical.

Crapita.

I doubt it. Possibly not cynical enough.

Yes, the security team could get outsourced, but that can be a good thing. The ex-employees then set up their own company and charge $$$$$ per day to fix the problems the outsourcers have set up - I've known this to happen.

In this case though, the security team reported to group security... not the CIO. The organisation takes security very seriously. Not quite board presence, but very close.

As I was saying:

Forget the spies: councils want the Snooper's Charter, too » Spectator Blogs

http://blogs.spectator.co.uk/coffeeh...rotect-people/

From the latter page:

It's worse than that...

Some years ago I was asked to provide some support for Eurim (big IT industry lobbying group) about the dangers of the ever increasing set of government who could using spying powers and tech.

One serious issue is Sinn Fein, or any other bunch of nutters you feel are beyond the pale.

They already run bits of government through free and fair elections. The day is coming when the BNP does as well.

Those are just the nutters who are officially members, random crazies are to be found at least as much in local government as anywhere else.

The test for any power needs to be "what if they other guy gets this power ?"

You may like Cameron and Clegg, any power you give them will end up with whoever takes over Labour from Milliband, or the next Thatcher or the next Blair or the next Enoch Powell...

Paranoid pish.