Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Anonymous Vs. DNS System: Lessons For Enterprise IT
Newest First  |  Oldest First  |  Threaded View
Midnight
50%
50%
Midnight,
User Rank: Apprentice
8/10/2012 | 10:17:54 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
Kudos to the DNS Root Servers Team!
People keep whining about groups like Anon but it really is true that you have to own your own system and it's daily needs. I have seen far to many companies rely on vendors who don't write clean code. The companies cry ignorance, and the vendors cry it wasn't their fault it's still just delusional. This problem is epidemic and the implications are deadly to business. There is a cure though, SELF RESPONSIBILITY!
I know it's a quaint old concept, but if a system is compromised, someone has not done their job. Yes it is that simple. Either a software vendor released code that was not Properly tested (ahem Apple, Microsoft, Cisco, Adobe to start with) or a Network Administrator did not keep up with updates/configurations/testing or a business owner has attempted to "Outsource the Responsibility" for their IT presence. (You do know the "cloud" is not a magic miracle fairy land of IT solutions, but more like the worst nightmare for securing sensitive data/resources? Really?)
The basics of security have not really changed since the first human wanted to keep a secret from another human. The basics of IT are the same since it's birth, people may change the tools they use and the form of the data, but the challenge is the same.
"Make my data available to me wherever I am, whenever I want, no matter how big the bulk, using or abusing any tool I want, instantaneously. Oh, and as an afterthought secure it from everybody else unless I want them to see it until I change my mind."
Heavens forbid these people are forced to take responsibility for the un-sane desires fulfilled. Groups like Anon and LULZ are a mixed bag, when they stand up and shout "The emperor is Nekkid!" that's one thing. We point and laugh. But when they start poking the emperor in the vulnerables, then it's not so funny because we must look at ourselves and see the state of our own clothes (or lack thereof.) The warnings are there and have been delivered, business intrusions are close to being UN-insurable losses because vendors, manager, and owners are implementing at "no feature show-stoppers" versus "no security show-stoppers." Vendors please have some real pride in your product instead of releasing beta code and using the public to debug it for you. Owners realize that you now are holding a machine with more power that a super-computer mainframe of the 70's... as a phone. You are responsible for what it does, how it is treated, how it is secure and safe. Don't lose that feeling of awe. You are indeed a teenager learning to drive dad's car. IT staff, you have a tough job. The business really does believe in you, but they don't understand the implications of their demands. And no don't try to explain it to them, they really don't get it or even want to. So take the stand, say "NO, not Yet" when it's clear the desire will endanger the company. But at the same time, find a solution for the board room that Will work. If that means they must give up their i-toys for another vendor that has security and stability as a higher priority, then that is what they get.
When pressed, all you have to say is "Sure you can use your i-toy here as long as you sign this document making you personally financially responsible for the business losses that will occur due to your decision, standard company policy. I am happy to assist you in this matter." Your insurance company will love you for it.
Acronym
50%
50%
Acronym,
User Rank: Apprentice
4/4/2012 | 9:48:25 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
"It's a game... a high-stakes game being played by one group against the rest of the world."

Increasingly, it is not a game at all. to increasing numbers of people, it is a war against the people by government supported heavily by corporations. Anonymous thrives by the support of ordinary people who are alarmed at the intrusions and abuse by government and corporations of individuduals who realize they can put trust in common people to protect them from the instusions of authority. You have all the power and all the money, but you don't protect people you protect assets and authorities.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/4/2012 | 7:36:48 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
It's a game... a high-stakes game being played by one group against the rest of the world. It's possible to sit here and say that this was part of a planned security upgrade - however, what happens when Anonymous decides to attack something else? Do we throw millions down on the barrelhead in an attempt to mitigate that risk? How often does this happen before we run out of resources to defend against these attacks?

Rather than continuing to play the game defensively, it's about time that this becomes an offensive game with the idea of neutralizing this group and their threats, whether real or simply perceived.

Andrew Hornback
InformationWeek Contributor


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...