Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
What You Need To Know About Nation-State Hacked Hard Drives
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/4/2015 | 11:39:58 PM
Re: Infected conference materials
You know air gaps aren't failsafe when the International Space Station gets infected by an astronaut's USB stick.  ;)  (As Kaspersky reported in late 2013.)
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/5/2015 | 6:55:57 AM
Re: Infected conference materials
A few years ago at DEF CON, there was a scare that the conference proceeding disk given to the press was infected with malware. I can't remember the year, or how it all got resolved (I think it may have been a hoax/rumor), but I can tell you that several reporters opted to view preso slides on DEF CON's webiste after that. =)
klevkoff117
100%
0%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:11:23 AM
Maybe the problem is too much flexibility
I'm sorry, but maybe it's time that people just plain grow up. There is an easy - and 100% effective - solution that can be implemented for just a few cents that will prevent anyone from hacking the firmware on your hard drive. Simply attach a physical switch to the physical write-enable pin on the BIOS storage medium; this way, it will be impossible to alter the firmware without physical access to the drive. Many years ago we had an antiquated version of "flash" that was 100% un-hackable - it was called a ROM (read-only memory); since a ROM cannot be reprogrammed, the only way to change the code stored on a ROM is to physically replace it with a new one..... so it's totally secure... and securing your hard drives is as simple as locking the server and posting a security guard. Do we really need the ability to field upgrade the BIOS on a hard drive? If not, then a ROM will do just fine.

Now, I realize that people these days are obsessed with convenience, and nobody is willing to accept the possibility that a product should be correct the first time (and so require no updates), but it seems to me that it wouldn't be a hardship to simply ship hard drives which physically cannot have their firmware or BIOS altered after they leave the factory. (Use a ROM, cut off the write-enable pin, or burn a link to disable the program function.)

The vast majority of the security breaches and hacks we're seeing lately are simply the result of our modern obsession with convenience... 

(And let's not even discuss passwords which can be reset after a simple request to do so. Am I the only one who sees the irony of generating a "password reset token", which is secured by a nice long cryptographic hash, then sending that secure link to an unsecured e-mail account, as a plain old unencrypted e-mail. Gee, guys, if you want real security, maybe you really should have to go into the branch and talk to someone in person if you want to recover your lost bank password. )

 

 

 

 

 
klevkoff117
100%
0%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:24:58 AM
Re: Infected conference materials
I think a large part of this is our modern obsession with convenience and looks.

My bank tells me that I should have the latest browser "so I can enjoy the latest features"; if they wanted the best security they would be telling me to disable JavaScript and Active-X - and using pure HTML. Likewise, does anyone here remember when, if you had a bunch of text to deliver, you did so as a plain text file? A pure text file isn't especially pretty, but you can't practically infect it with malware.

The simple reality is that nobody wants to trade away convenience, or the latest whiz-bang features, for real security... and so the endless quest for good security that is also convenient, cheap, and looks pretty... which is probably just not possible.

Obviously the promoters of that conference had no idea that anyone would want to hack their conference materials. Otherwise they could have put all their conference material into an archive on that CD - and then published the MD5 hash for the archive on their website.

Likewise, another reader posted about, while conducting business at a bank, being permitted to print something through their network off a USB stick... and how this was a rather unsecure practice. Am I the only one who remembers when even HAVING a USB drive in a computer that was supposed to be secure was considered a bad idea?

We sacrifice security for convenience at every turn, then we act surprised when we learn that the security isn't there any more....

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2015 | 10:26:41 AM
Re: Maybe the problem is too much flexibility
@klevkoff117-- It's  certainly not a new problem. And hats  off to whoever figures out the right balance between user convenience and security .
klevkoff117
50%
50%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:36:39 AM
Re: Maybe the problem is too much flexibility
I think a lot of that problem simply comes down to how institutions interact with the public. Most people I know really do care whether their bank account is safe or not - and would probably respond favorably if their bank actually told them "our account summary page isn't especially pretty, but it's much more secure than our competitors". However, that doesn't happen - presumably because somewhere there's a web designer who's worried that their competitors have pretty 3D mouseover buttons and they don't.

Perhaps it would be more useful for them to educate their customers rather than to always play into their least little whims and desires. (I'm imagining a variation of the old Volkswagen commercial... "Our website is ugly, but our security is better, so we can offer you a credit card with a lower interest rate, and pay better interest rates on our accounts; we think the tradeoff is worth it - don't you?" I know I'd move my accounts there tomorrow - if I actually believed the pitch :) )
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2015 | 11:10:50 AM
Re: Maybe the problem is too much flexibility
Great idea  @klevkoff117! You should be in marketing! But seriously, I look forward to the day that strong security is a product differentiatior -- in finance and other industries..
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/6/2015 | 12:08:11 AM
Re: Infected conference materials
They do make good gifts, though.  One Christmas, when I was stuck for a Christmas present for someone, I gave them one of my free mega-storage USB sticks from a conference.  They loved it.

Maybe they're hacked now.  Who knows?  :p
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/6/2015 | 12:09:30 AM
Re: Infected conference materials
Scan everything.  :)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/7/2015 | 11:34:32 PM
Re: Maybe the problem is too much flexibility
That's beautiful, man.  I agree with Marilyn; you should be in marketing.

Unfortunately, marketing ROI and security ROI are very tricky to determine and justify.  It's all about UX these days -- even though nobody in the room at the UX meetings is a "U."
<<   <   Page 2 / 3   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package &lt; 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...