Reply to: An eye opening lesson in IT security

Paranoid pish.

It's worse than that...

Some years ago I was asked to provide some support for Eurim (big IT industry lobbying group) about the dangers of the ever increasing set of government who could using spying powers and tech.

One serious issue is Sinn Fein, or any other bunch of nutters you feel are beyond the pale.

They already run bits of government through free and fair elections. The day is coming when the BNP does as well.

Those are just the nutters who are officially members, random crazies are to be found at least as much in local government as anywhere else.

The test for any power needs to be "what if they other guy gets this power ?"

You may like Cameron and Clegg, any power you give them will end up with whoever takes over Labour from Milliband, or the next Thatcher or the next Blair or the next Enoch Powell...

As I was saying:

Forget the spies: councils want the Snooper's Charter, too » Spectator Blogs

http://blogs.spectator.co.uk/coffeeh...rotect-people/

From the latter page:

Crapita.

I doubt it. Possibly not cynical enough.

Yes, the security team could get outsourced, but that can be a good thing. The ex-employees then set up their own company and charge $$$$$ per day to fix the problems the outsourcers have set up - I've known this to happen.

In this case though, the security team reported to group security... not the CIO. The organisation takes security very seriously. Not quite board presence, but very close.

That of course is why IT people get outsourced.

The CIO wants to do some crɑp like this and gets stopped, so he hires some "security consultants" from one of the big accountancy firms, or worse still Capita or whatever who charge a packet and then either tell him what he wants to hear or sell a "solution" that is even less secure.

A big problem with security is that for any given hole, the worst usually does not happen.

So that means he can pull this stunt several times, in-house security say "no", the consultants demonstrate a "can-do business attitude" and one day you come in and find you have a new employer, or that you're out of work and been replaced by some UK based frontmen backed up by Indians.

However you may feel that as a hybrid headhunter/journalist that I am by nature too cynical.

The security team I chatted with were one who told the CIO to f*** off when he wanted to get everyone to use dropbox to share sensitive data. They suggested that cutting out the middle man and posting directly to wikileaks would save a lot of effort.

Anyone developed paranoidlinux yet?

The chaps I have been working with were of the opinion that most companies take months not weeks to find an exploit. Thats before they even deal with the consequences. If you own IP that defines your business, then months is a long time for a guy to be file dumping your servers.

As for knowing your stuff: The unfortunate trend to finding the cheapest guy for the job has made matters worse I got to a point where rockstar server admin skills were worth nothing compared to writing a pointless doc and watching some newb completely mangle your design with slap dash wide open OS installs and rhost files full of trust all...

Add into the chaos poorly written code by guys that don't get what they are doing it becomes easy pickings...

I am yet to meet a security team that actually understand what they are supposed to do. For the most they are firewall managers at best

They vary a lot, I do a bit of expert witness work in the area of "how the hell did this tulip get to where it is now and who do be blame then sue ?"

I get to talk to in-house security at large firms, some of which are household names and their security varies from the impressive to the tragic.

I've just done a piece of trends in the job market for TheRegister.com and a corollary to my understanding of the way top management want security to work is that the number of holes will increase.

In the good old days like 2010 you had servers which you defended with dogs and guns, PCs which you never really trusted and some vaguely rigorous of assignment of access to various grades and type of users.

The web made relatively little difference to this, web servers were designed to give specific access to outside end users who had simple well defined access rights.

Note I say "designed to", we can all share cases where design did not equal implementation.


Now, the fashion is to give "partners" more access to internal data (ie letting suppliers see your stock levels, customers see more about order processing, etc up to and including API access to the core databases of corporate systems.

In other words "the business" part of firms, including household names wants to give access rights to outsiders that previously wasn't freely given to internal staff.

None of that is impossible, nor is it hard.

What is hard is doing it right and knowing that you've done it right.

That's why it's on my "learn this crap to get more money" list, since it ticks all the boxes of a skill to get on your CV, demand from the people who control the money, visible productivity, lots of different systems to make work together, and needs a lot of work to get right.

I'd guess that any traffic going to or from a tor node would be considered interesting by nature, not to mention they could flag the fact that someone was using tor in the first place.

Probably still plenty of crims and terrorists who haven't figured out how to use tor.

Like these ones: http://www.nytimes.com/2013/05/10/ny...anted=all&_r=0

At that scale I'd guess they would be more concerned with who talks to whom and how often, who looks at which suspicious websites and what they looked at (can be inferred from response sizes) and looking for patterns, perhaps even working out where someone is physically located if they don't already know.

The other thing about ssl is that a man in the middle attack is pretty easy if you can fake certificates, so you need to look at who controls all of the certificate authorities you trust.

WHS, but this obsession with logging IT comms by that bossy Home Secretary (I forget her name) has very little to do with terrorism but is much more about identifying council house and housing association sub-letters and cash-in-hand landlords, to try and winkle more tax out of them.

Is that much use, given most of the packets they're interested in will be SSL encrypted data?

It already is.

You can buy something that fits into a standard IBM blade rack and does deep packet inspection on 20Gbps from a company called cloudshield, who are owned by this lot. That's 280Gbps in 9u. They also sell a 4u box that can handle 120Gbps. I would expect that even better devices exist given that the latest generation of FPGAs can handle terabits of IO with a single chip and most of the big US defence contractors have been or are involved with developing deep packet inspection technology.

I'd be interested to know if something like this is wired up to major ingress and egress points or various places in between. The linx for example handles about 1.5Tbit/s peak traffic, which could all be scanned with a couple of racks worth of gear and e.g. every VOIP call captured. Obviously that wouldn't deal with stuff outside your borders, or stuff that doesn't transit that exchange, but most western countries have similar lawful intercept laws to the US, so they could easily compel a carrier to capture every packet going in or out of a particular broadband connection or similar.

Easy. Set up a site for IT contractors and post some daily mail links about AGW and economics

What, this bit?

http://www.legislation.gov.uk/uksi/2.../contents/made

Just the level 3 european network has somewhere in the region of 67Tb per second of capacity on its own. thats one network! When the government talk about listening to that sort of bandwidth when the best some of the guys in the field have is in the megabit range, you have to wonder who the idiots are that are suggesting it.

Its never going to be physically possible to handle taps on that data. And if the government tried it how hard would it be to flood the network with random noise? If you get to the bit where they ask the ISP to save all that web data and email.... I have 10 gmail accounts and they all have 10gb of mail capacity and given that the ISP will have to store that for 7 years you are talking about 125 copies stored per year with the typical rotation.

I am going into see a client next week to tell them that we found about 3 gigs of their data sat on paste bin and some associated sites. We found that much in 20 minutes while a sales presentation was on the go...

In short 20 minutes work got me enough inside information to earn more in a week of activity than the poor sap that takes this job will in several years...

Job: Urgent IT Security Expert Wanted up to £350/day - Technojobs