Originally posted by Dominic Connor
View Post
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Reply to: An eye opening lesson in IT security
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "An eye opening lesson in IT security"
Collapse
-
It's worse than that...
Some years ago I was asked to provide some support for Eurim (big IT industry lobbying group) about the dangers of the ever increasing set of government who could using spying powers and tech.
One serious issue is Sinn Fein, or any other bunch of nutters you feel are beyond the pale.
They already run bits of government through free and fair elections. The day is coming when the BNP does as well.
Those are just the nutters who are officially members, random crazies are to be found at least as much in local government as anywhere else.
The test for any power needs to be "what if they other guy gets this power ?"
You may like Cameron and Clegg, any power you give them will end up with whoever takes over Labour from Milliband, or the next Thatcher or the next Blair or the next Enoch Powell...
Leave a comment:
-
Originally posted by OwlHoot View PostWHS, but this obsession with logging IT comms by that bossy Home Secretary (I forget her name) has very little to do with terrorism but is much more about identifying council house and housing association sub-letters and cash-in-hand landlords, to try and winkle more tax out of them.
Forget the spies: councils want the Snooper's Charter, too » Spectator Blogs
http://blogs.spectator.co.uk/coffeeh...rotect-people/
From the latter page:
A Freedom of Information request recently carried out by the organisation Big Brother Watch highlighted the large number of public authorities clamouring to get their hands on this vast mine of data. They included those who I would rightly expect to have access such as the Serious Fraud Office; to those who I cannot understand why they would ever need access – such as the Royal Mail, the Health and Safety Executive and the Charity Commission.
I have even received representations from my own Local Authority, Enfield Council – calling on me to support the Cabinet Member for Environment’s wish to be granted access to communications data once the redrafted Bill comes back to Parliament.
Given the numerous examples of local authorities using already existing surveillance powers in manners for which they were never intended – such as to catch those living outside school catchment areas or monitoring the illegal movement of pigs – why on earth would they also need access to their residents’ communications data?Last edited by OwlHoot; 13 June 2013, 17:06.
Leave a comment:
-
Originally posted by Dominic Connor View Post..., or worse still Capita
However you may feel that as a hybrid headhunter/journalist that I am by nature too cynical.
Yes, the security team could get outsourced, but that can be a good thing. The ex-employees then set up their own company and charge $$$$$ per day to fix the problems the outsourcers have set up - I've known this to happen.
In this case though, the security team reported to group security... not the CIO. The organisation takes security very seriously. Not quite board presence, but very close.
Leave a comment:
-
Originally posted by NotAllThere View PostThe security team I chatted with were one who told the CIO to f*** off when he wanted to get everyone to use dropbox to share sensitive data. They suggested that cutting out the middle man and posting directly to wikileaks would save a lot of effort.
The CIO wants to do some crɑp like this and gets stopped, so he hires some "security consultants" from one of the big accountancy firms, or worse still Capita or whatever who charge a packet and then either tell him what he wants to hear or sell a "solution" that is even less secure.
A big problem with security is that for any given hole, the worst usually does not happen.
So that means he can pull this stunt several times, in-house security say "no", the consultants demonstrate a "can-do business attitude" and one day you come in and find you have a new employer, or that you're out of work and been replaced by some UK based frontmen backed up by Indians.
However you may feel that as a hybrid headhunter/journalist that I am by nature too cynical.
Leave a comment:
-
The security team I chatted with were one who told the CIO to f*** off when he wanted to get everyone to use dropbox to share sensitive data. They suggested that cutting out the middle man and posting directly to wikileaks would save a lot of effort.
Anyone developed paranoidlinux yet?
Leave a comment:
-
The chaps I have been working with were of the opinion that most companies take months not weeks to find an exploit. Thats before they even deal with the consequences. If you own IP that defines your business, then months is a long time for a guy to be file dumping your servers.
As for knowing your stuff: The unfortunate trend to finding the cheapest guy for the job has made matters worse I got to a point where rockstar server admin skills were worth nothing compared to writing a pointless doc and watching some newb completely mangle your design with slap dash wide open OS installs and rhost files full of trust all...
Add into the chaos poorly written code by guys that don't get what they are doing it becomes easy pickings...
I am yet to meet a security team that actually understand what they are supposed to do. For the most they are firewall managers at best
Leave a comment:
-
Originally posted by NotAllThere View PostIf you work for a large well known company, have a chat sometime with the network security team.
I get to talk to in-house security at large firms, some of which are household names and their security varies from the impressive to the tragic.
I've just done a piece of trends in the job market for TheRegister.com and a corollary to my understanding of the way top management want security to work is that the number of holes will increase.
In the good old days like 2010 you had servers which you defended with dogs and guns, PCs which you never really trusted and some vaguely rigorous of assignment of access to various grades and type of users.
The web made relatively little difference to this, web servers were designed to give specific access to outside end users who had simple well defined access rights.
Note I say "designed to", we can all share cases where design did not equal implementation.
Now, the fashion is to give "partners" more access to internal data (ie letting suppliers see your stock levels, customers see more about order processing, etc up to and including API access to the core databases of corporate systems.
In other words "the business" part of firms, including household names wants to give access rights to outsiders that previously wasn't freely given to internal staff.
None of that is impossible, nor is it hard.
What is hard is doing it right and knowing that you've done it right.
That's why it's on my "learn this crap to get more money" list, since it ticks all the boxes of a skill to get on your CV, demand from the people who control the money, visible productivity, lots of different systems to make work together, and needs a lot of work to get right.
Leave a comment:
-
Originally posted by Freamon View PostProbably still plenty of crims and terrorists who haven't figured out how to use tor.
Like these ones: http://www.nytimes.com/2013/05/10/ny...anted=all&_r=0
Leave a comment:
-
Originally posted by doodab View PostAt that scale I'd guess they would be more concerned with who talks to whom and how often, who looks at which suspicious websites and what they looked at (can be inferred from response sizes) and looking for patterns, perhaps even working out where someone is physically located if they don't already know.
Like these ones: http://www.nytimes.com/2013/05/10/ny...anted=all&_r=0
Leave a comment:
-
Originally posted by Freamon View PostIs that much use, given most of the packets they're interested in will be SSL encrypted data?
The other thing about ssl is that a man in the middle attack is pretty easy if you can fake certificates, so you need to look at who controls all of the certificate authorities you trust.
Leave a comment:
-
Originally posted by bobspud View PostJust the level 3 european network has somewhere in the region of 67Tb per second of capacity on its own. thats one network! When the government talk about listening to that sort of bandwidth when the best some of the guys in the field have is in the megabit range, you have to wonder who the idiots are that are suggesting it. ...
Leave a comment:
-
Originally posted by doodab View PostYou can buy something that fits into a standard IBM blade rack and does deep packet inspection on 20Gbps from a company called cloudshield, who are owned by this lot. That's 280Gbps in 9u. They also sell a 4u box that can handle 120Gbps. I would expect that even better devices exist given that the latest generation of FPGAs can handle terabits of IO with a single chip and most of the big US defence contractors have been or are involved with developing deep packet inspection technology.
Leave a comment:
-
Originally posted by bobspud View PostIts never going to be physically possible to handle taps on that data.
You can buy something that fits into a standard IBM blade rack and does deep packet inspection on 20Gbps from a company called cloudshield, who are owned by this lot. That's 280Gbps in 9u. They also sell a 4u box that can handle 120Gbps. I would expect that even better devices exist given that the latest generation of FPGAs can handle terabits of IO with a single chip and most of the big US defence contractors have been or are involved with developing deep packet inspection technology.
I'd be interested to know if something like this is wired up to major ingress and egress points or various places in between. The linx for example handles about 1.5Tbit/s peak traffic, which could all be scanned with a couple of racks worth of gear and e.g. every VOIP call captured. Obviously that wouldn't deal with stuff outside your borders, or stuff that doesn't transit that exchange, but most western countries have similar lawful intercept laws to the US, so they could easily compel a carrier to capture every packet going in or out of a particular broadband connection or similar.
Originally posted by bobspud View PostAnd if the government tried it how hard would it be to flood the network with random noise?
Originally posted by bobspud View PostIf you get to the bit where they ask the ISP to save all that web data and email....
http://www.legislation.gov.uk/uksi/2.../contents/madeLast edited by doodab; 1 June 2013, 12:49.
Leave a comment:
-
Just the level 3 european network has somewhere in the region of 67Tb per second of capacity on its own. thats one network! When the government talk about listening to that sort of bandwidth when the best some of the guys in the field have is in the megabit range, you have to wonder who the idiots are that are suggesting it.
Its never going to be physically possible to handle taps on that data. And if the government tried it how hard would it be to flood the network with random noise? If you get to the bit where they ask the ISP to save all that web data and email.... I have 10 gmail accounts and they all have 10gb of mail capacity and given that the ISP will have to store that for 7 years you are talking about 125 copies stored per year with the typical rotation.
I am going into see a client next week to tell them that we found about 3 gigs of their data sat on paste bin and some associated sites. We found that much in 20 minutes while a sales presentation was on the go...
In short 20 minutes work got me enough inside information to earn more in a week of activity than the poor sap that takes this job will in several years...
Job: Urgent IT Security Expert Wanted up to £350/day - Technojobs
Leave a comment:
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Secondary NI threshold sinking to £5,000: a limited company director’s explainer Dec 24 09:51
- Reeves sets Spring Statement 2025 for March 26th Dec 23 09:18
- Spot the hidden contractor Dec 20 10:43
- Accounting for Contractors Dec 19 15:30
- Chartered Accountants with MarchMutual Dec 19 15:05
- Chartered Accountants with March Mutual Dec 19 15:05
- Chartered Accountants Dec 19 15:05
- Unfairly barred from contracting? Petrofac just paid the price Dec 19 09:43
- An IR35 case law look back: contractor must-knows for 2025-26 Dec 18 09:30
- A contractor’s Autumn Budget financial review Dec 17 10:59
Leave a comment: