• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

An eye opening lesson in IT security

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    An eye opening lesson in IT security

    The last few days have been spent with a really cool hacker / security expert. In that time I have seen vast dumps of credit card details, entire password files with rainbow tables and the most scary of all the ID dumps of operatives taken from the Mosad bust up with Anonymous. One of the most concerning things that became apparent was the vast amounts of stolen data that is hiding in plain site on boards. Anyone that thinks that their IT security is working should probably go and do some digging out in the less savoury parts of the internet...

    I am not surprised that the criminals are ripping the piss with some of the stuff out there...

    #2
    If you work for a large well known company, have a chat sometime with the network security team.
    Down with racism. Long live miscegenation!

    Comment


      #3
      They know everything and they are watching you.

      Comment


        #4
        Originally posted by bobspud View Post
        The last few days have been spent with a really cool hacker / security expert. In that time I have seen vast dumps of credit card details, entire password files with rainbow tables and the most scary of all the ID dumps of operatives taken from the Mosad bust up with Anonymous. One of the most concerning things that became apparent was the vast amounts of stolen data that is hiding in plain site on boards. Anyone that thinks that their IT security is working should probably go and do some digging out in the less savoury parts of the internet...

        I am not surprised that the criminals are ripping the piss with some of the stuff out there...
        We need to think about what information we store electronically.
        And what exactly is wrong with an "ad hominem" argument? Dodgy Agent, 16-5-2014

        Comment


          #5
          Originally posted by bobspud View Post
          The last few days have been spent with a really cool hacker / security expert. In that time I have seen vast dumps of credit card details, entire password files with rainbow tables and the most scary of all the ID dumps of operatives taken from the Mosad bust up with Anonymous.
          Much more concerning than that is the amount of data they collect about us every day from our mobile phone position, cctv, numberplate recognition and internet records....
          Free advice and opinions - refunds are available if you are not 100% satisfied.

          Comment


            #6
            Just the level 3 european network has somewhere in the region of 67Tb per second of capacity on its own. thats one network! When the government talk about listening to that sort of bandwidth when the best some of the guys in the field have is in the megabit range, you have to wonder who the idiots are that are suggesting it.

            Its never going to be physically possible to handle taps on that data. And if the government tried it how hard would it be to flood the network with random noise? If you get to the bit where they ask the ISP to save all that web data and email.... I have 10 gmail accounts and they all have 10gb of mail capacity and given that the ISP will have to store that for 7 years you are talking about 125 copies stored per year with the typical rotation.

            I am going into see a client next week to tell them that we found about 3 gigs of their data sat on paste bin and some associated sites. We found that much in 20 minutes while a sales presentation was on the go...

            In short 20 minutes work got me enough inside information to earn more in a week of activity than the poor sap that takes this job will in several years...

            Job: Urgent IT Security Expert Wanted up to £350/day - Technojobs

            Comment


              #7
              Originally posted by bobspud View Post
              Its never going to be physically possible to handle taps on that data.
              It already is.

              You can buy something that fits into a standard IBM blade rack and does deep packet inspection on 20Gbps from a company called cloudshield, who are owned by this lot. That's 280Gbps in 9u. They also sell a 4u box that can handle 120Gbps. I would expect that even better devices exist given that the latest generation of FPGAs can handle terabits of IO with a single chip and most of the big US defence contractors have been or are involved with developing deep packet inspection technology.

              I'd be interested to know if something like this is wired up to major ingress and egress points or various places in between. The linx for example handles about 1.5Tbit/s peak traffic, which could all be scanned with a couple of racks worth of gear and e.g. every VOIP call captured. Obviously that wouldn't deal with stuff outside your borders, or stuff that doesn't transit that exchange, but most western countries have similar lawful intercept laws to the US, so they could easily compel a carrier to capture every packet going in or out of a particular broadband connection or similar.

              Originally posted by bobspud View Post
              And if the government tried it how hard would it be to flood the network with random noise?
              Easy. Set up a site for IT contractors and post some daily mail links about AGW and economics

              Originally posted by bobspud View Post
              If you get to the bit where they ask the ISP to save all that web data and email....
              What, this bit?

              http://www.legislation.gov.uk/uksi/2.../contents/made
              Last edited by doodab; 1 June 2013, 12:49.
              While you're waiting, read the free novel we sent you. It's a Spanish story about a guy named 'Manual.'

              Comment


                #8
                Originally posted by doodab View Post
                You can buy something that fits into a standard IBM blade rack and does deep packet inspection on 20Gbps from a company called cloudshield, who are owned by this lot. That's 280Gbps in 9u. They also sell a 4u box that can handle 120Gbps. I would expect that even better devices exist given that the latest generation of FPGAs can handle terabits of IO with a single chip and most of the big US defence contractors have been or are involved with developing deep packet inspection technology.
                Is that much use, given most of the packets they're interested in will be SSL encrypted data?
                "A life, Jimmy, you know what that is? It’s the s*** that happens while you’re waiting for moments that never come." -- Lester Freamon

                Comment


                  #9
                  Originally posted by bobspud View Post
                  Just the level 3 european network has somewhere in the region of 67Tb per second of capacity on its own. thats one network! When the government talk about listening to that sort of bandwidth when the best some of the guys in the field have is in the megabit range, you have to wonder who the idiots are that are suggesting it. ...
                  WHS, but this obsession with logging IT comms by that bossy Home Secretary (I forget her name) has very little to do with terrorism but is much more about identifying council house and housing association sub-letters and cash-in-hand landlords, to try and winkle more tax out of them.
                  Work in the public sector? Read the IR35 FAQ here

                  Comment


                    #10
                    Originally posted by Freamon View Post
                    Is that much use, given most of the packets they're interested in will be SSL encrypted data?
                    At that scale I'd guess they would be more concerned with who talks to whom and how often, who looks at which suspicious websites and what they looked at (can be inferred from response sizes) and looking for patterns, perhaps even working out where someone is physically located if they don't already know.

                    The other thing about ssl is that a man in the middle attack is pretty easy if you can fake certificates, so you need to look at who controls all of the certificate authorities you trust.
                    While you're waiting, read the free novel we sent you. It's a Spanish story about a guy named 'Manual.'

                    Comment

                    Working...
                    X