Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Anonymous Vs. DNS System: Lessons For Enterprise IT
Newest First  |  Oldest First  |  Threaded View
Midnight
50%
50%
Midnight,
User Rank: Apprentice
8/10/2012 | 10:17:54 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
Kudos to the DNS Root Servers Team!
People keep whining about groups like Anon but it really is true that you have to own your own system and it's daily needs. I have seen far to many companies rely on vendors who don't write clean code. The companies cry ignorance, and the vendors cry it wasn't their fault it's still just delusional. This problem is epidemic and the implications are deadly to business. There is a cure though, SELF RESPONSIBILITY!
I know it's a quaint old concept, but if a system is compromised, someone has not done their job. Yes it is that simple. Either a software vendor released code that was not Properly tested (ahem Apple, Microsoft, Cisco, Adobe to start with) or a Network Administrator did not keep up with updates/configurations/testing or a business owner has attempted to "Outsource the Responsibility" for their IT presence. (You do know the "cloud" is not a magic miracle fairy land of IT solutions, but more like the worst nightmare for securing sensitive data/resources? Really?)
The basics of security have not really changed since the first human wanted to keep a secret from another human. The basics of IT are the same since it's birth, people may change the tools they use and the form of the data, but the challenge is the same.
"Make my data available to me wherever I am, whenever I want, no matter how big the bulk, using or abusing any tool I want, instantaneously. Oh, and as an afterthought secure it from everybody else unless I want them to see it until I change my mind."
Heavens forbid these people are forced to take responsibility for the un-sane desires fulfilled. Groups like Anon and LULZ are a mixed bag, when they stand up and shout "The emperor is Nekkid!" that's one thing. We point and laugh. But when they start poking the emperor in the vulnerables, then it's not so funny because we must look at ourselves and see the state of our own clothes (or lack thereof.) The warnings are there and have been delivered, business intrusions are close to being UN-insurable losses because vendors, manager, and owners are implementing at "no feature show-stoppers" versus "no security show-stoppers." Vendors please have some real pride in your product instead of releasing beta code and using the public to debug it for you. Owners realize that you now are holding a machine with more power that a super-computer mainframe of the 70's... as a phone. You are responsible for what it does, how it is treated, how it is secure and safe. Don't lose that feeling of awe. You are indeed a teenager learning to drive dad's car. IT staff, you have a tough job. The business really does believe in you, but they don't understand the implications of their demands. And no don't try to explain it to them, they really don't get it or even want to. So take the stand, say "NO, not Yet" when it's clear the desire will endanger the company. But at the same time, find a solution for the board room that Will work. If that means they must give up their i-toys for another vendor that has security and stability as a higher priority, then that is what they get.
When pressed, all you have to say is "Sure you can use your i-toy here as long as you sign this document making you personally financially responsible for the business losses that will occur due to your decision, standard company policy. I am happy to assist you in this matter." Your insurance company will love you for it.
Acronym
50%
50%
Acronym,
User Rank: Apprentice
4/4/2012 | 9:48:25 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
"It's a game... a high-stakes game being played by one group against the rest of the world."

Increasingly, it is not a game at all. to increasing numbers of people, it is a war against the people by government supported heavily by corporations. Anonymous thrives by the support of ordinary people who are alarmed at the intrusions and abuse by government and corporations of individuduals who realize they can put trust in common people to protect them from the instusions of authority. You have all the power and all the money, but you don't protect people you protect assets and authorities.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/4/2012 | 7:36:48 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
It's a game... a high-stakes game being played by one group against the rest of the world. It's possible to sit here and say that this was part of a planned security upgrade - however, what happens when Anonymous decides to attack something else? Do we throw millions down on the barrelhead in an attempt to mitigate that risk? How often does this happen before we run out of resources to defend against these attacks?

Rather than continuing to play the game defensively, it's about time that this becomes an offensive game with the idea of neutralizing this group and their threats, whether real or simply perceived.

Andrew Hornback
InformationWeek Contributor


Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...