lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 18 Oct 2007 20:16:08 +0100
From: "worried security" <worriedsecurity@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Zone-H.org: 10 reasons websites get hacked

On 10/18/07, full-disclosure@....hush.com <full-disclosure@....hush.com>
wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I thought the main reasons for intrusion were fun and/or profit.  I
> don't see them on your list anywhere.
>
> I think your list sucks.


the no.1 threat to corporate and national security is infact the inside job.

yep folks, terrorists are actively seeking to trick the job vetting
processes for power plants,government etc etc.

because the terrorists know the key systems aren't connected to the
internet.

but after reading media reports, it seems the department of homeland
security are thinking if we're not connected to the internet then we're
safe.

no, even permanently offline systems, still need to be patched from internet
threats, because terrorists are actively seeking to get into key
infrastructure jobs with portable disks to infect computers with the latest
0-day posted to places such as Full-Disclosure.

yep folks, all security pros on here will have seen the dhs propaganda video
by now about the turbine getting shutdown with a cyber attack, and the dhs
are focusing on internet facing systems, but the real threat to corporate
and national security is the inside job of permanently offline systems that
the power plants, government etc etc think are safe and don't need patched.

what i'm saying is, for example, i'm not saying they use microsoft for key
infrastructure systems, but a permanently offline system still needs to be
fully patched after every patch tuesday, even though that system is
permanently offline and will never ever be connected to the internet.

that is my key problem i'm seeing right now by the government in respect of
cyber security, they are assuming an internet conenction needs to be there,
but that isn't entirely true.

if mr joe jobs wanna be terrorist manages to trick your job vetting
processes and gets a job with access to the key systems, yes folks,
terrorists haven't got time to fiddle around with computers, they will
download exploit code from Full-Disclosure type sources and throw it on a
portable disk, then go for an inside job social engineering trick and get
into a power plant, government etc etc job.

so having your permanently offline key infrastructure not patched every
patch tuesday for example, is pretty bad, because if your permanently
offline systems had been patched, then mr joe jobs wanna be terrorist
wouldn't of been able to plug in a portable disk into your systems based on
a 0-day exploit originally posted on Full-Disclosure and shut the place
down.

while the internet is one way to get exploit code into your network, its not
the only way.

joe jobs wanna be terrorist would rather do an inside job, than fiddle
around with computers all day.

in short your permanently offline systems still need to be patched every
patch tuesday.

do the power plants, government etc etc have their patches upto date for
permanently offline systems? ;) they assume only internet facing systems
need to be patched from internet threats, but that is their delusion not
mine.

like in this link, http://www.news.com/8301-10784_3-9799403-7.html they keep
saying "cyber" as in internet... but the truth is a terrorist attack to take
out key power plants, government etc etc would come from the inside job...

the government are wasting their time with the whole "cyber" security thing,
while the exploit code carried on portable disks would originate from
internet sources and that that exploit code may of originally needed an
internet connection, that is not entirely true if portable disks are used
and the joe jobs wanna be terrorists target permanently unpatched,
permanently offline systems.

did you sit smuggly in your control rooms smiling at that permanently
offline system and think, hey, nothing posted on Full-Disclosure can touch
this? think again.

thanks,

n3td3v

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ