15.6 C
London
Thursday, August 17, 2017
Home Tags Cruise

Tag: Cruise

Smallest Detroit automaker is relying on partners for self-driving tech help.
Hypoxic area is likely even larger, but cruise ran out of time to make measurements.
Enjoys Failsafe Travel with SANsymphonyREADING, UK. and Unterfoehring, Germany, June 19, 2017 – DataCore Software, a leading provider of software-defined storage, today announced that its software-defined storage platform, SANsymphonytrade;, has been implemented on the cruise ship fleet of TUI Cruises, a joint venture between German TUI AG and Royal Caribbean Cruises Ltd., the worldrsquo;s second-largest cruise company.

The SANsymphonytrade; storage platform delivers highly-available and high-performance storage capacity for VMware, Microsoft SQL Server and Microsoft Exchange.“DataCorersquo;s... Source: RealWire
In the latest missile-palooza, DPRK shoots four missiles at targets in Sea of Japan.
Best bits make us hopeful for next Dark Universe movie. Not this one, though.
Will have a "wake word" like Google Home, Amazon Echo—but you can choose it.

Avoid "Hal."
Geofenced to highways, it uses head-tracking to know when the driver's distracted.
Much to like, including Cadillac's semi-autonomous system and a Ford police hybrid.
But burning biofuel still gives off a lot of soot particles.
It's the latest provocation as Russia's military appears to test Trump.
Apply best routing practices liberally. Repeat each morning Solve the DDoS problem? No problem. We’ll just get ISPs to rewrite the internet.
In this interview Ian Levy, technical director of GCHQ’s National Cyber Security Centre, says it’s up to ISPs to rewrite internet standards and stamp out DDoS attacks coming from the UK.
In particular, they should change the Border Gateway Protocol, which lies at the heart of the routing system, he suggests. He’s right about BGP.
It sucks.

ENISA calls it the “Achilles’ heel of the Internet”.
In an ideal world, it should be rewritten.
In the real one, it’s a bit more difficult. Apart from the ghastly idea of having the government’s surveillance agency helping to rewrite the Internet’s routing layer, it’s also like trying to rebuild a cruise ship from the inside out. Just because the ship was built a while ago and none of the cabin doors shut properly doesn’t mean that you can just dismantle the thing and start again.
It’s a massive ship and it’s at sea and there are people living in it. In any case, ISPs already have standards to help stop at least one category of DDoS, and it’s been around for the last 16 years.

All they have to do is implement it. Reflecting on the problem Although there are many subcategories, we can break down DDoS attacks into two broad types.

The first is a direct attack, where devices flood a target with traffic directly. The second is a reflected attack. Here, the attacker impersonates a target by sending packets to another device that look like they’re coming from the target’s address.

The device then tries to contact the target, participating in a DDoS attack that knocks it out. The attacker fools the device by spoofing the source of the IP packet, replacing their IP address in the packet header’s source IP entry with the target’s address.
It’s like sending a letter in someone else’s name.

The key here is amplification: depending on the type of traffic sent, the response sent to the target can be an order of magnitude greater. ISPs can prevent this by validating source addresses and using anti-spoofing filters that stop packets with incorrect source IP addresses from entering or leaving the network, explains the Mutually Agreed Norms for Routing Security (MANRS).

This is a manifesto produced by a collection of network operators who want to make the routing layer more secure by promoting best practices for service providers. Return to sender One way to do this is with an existing standard from 2000 called BCP 38. When implemented in network edge equipment, it checks to see whether incoming packets contain a source IP address that’s approved and linked to a customer (eg, within the appropriate block of IPs).
If it isn’t, it drops the packet.
Simple.

Corero COO & CTO Dave Larson adds, “If you are not following BCP 38 in your environment, you should be.
If all operators implemented this simple best practice, reflection and amplification DDoS attacks would be drastically reduced.” There are other things that ISPs can do to choke off these attacks, such as response rate limiting.

Authoritative DNS servers are often used as the unwitting dupe in reflection attacks because they send more traffic to the target than the attacker sends to them.

Their operators can limit the number of responses using a mechanism included by default in the BIND DNS server software, for example, which can detect patterns in incoming traffic and limit the responses to avoid flooding a target. The Internet of Pings We’d better sort this out, because the stakes are rising.

Thanks to the Internet of Things, we’re seeing attackers forklift large numbers of dumb devices such as IP cameras and DVRs, pointing them at whatever targets they want. Welcome to the Internet of Pings. We’re at the point where some jerk can bring down the Internet using an army of angry toasters.

Because of the vast range of IP addresses, it also makes things more difficult for ISPs to detect and solve the problem. We saw this with the attack on Dyn in late October, which could well be the largest attack ever at this point, hitting the DNS provider with pings from tens of millions of IP addresses.

Those claiming responsibility said that it was a dry run. Bruce Schneier had already reported someone rattling the Internet’s biggest doors. “What can we do about this?” he asked. “Nothing, really.” Well, we can do something. We can implore our ISPs to pull their collective fingers out and start implementing some preventative technology. We can also encourage IoT manufacturers to impose better security in IoT equipment. Let’s get to proper code signing later, and start with just avoiding the use of default login credentials first. When a crummy malware strain like Mirai takes down half the web using nothing but a pre-baked list of usernames and passwords, you know something’s wrong. How do we persuade IoT vendors to do better? Perhaps some government regulation is appropriate.
Indeed, organizations are already exploring this on both sides of the pond. Unfortunately, politicians move like molasses, while DDoS packets move at the speed of light.
In the meantime, it’s going to be up to the gatekeepers to solve the problem voluntarily. ® Sponsored: Want to know more about PAM? Visit The Register's hub
Broad smiles, good suits and fake IDs test security in new dimensions FEATURE "Go to this McDonald's," Chris Gatford told me. "There's a 'Create Your Taste' burger-builder PC there and you should be able to access the OS.

Find that machine, open the command prompt and pretend to do something important. "I'll be watching you." Gatford instructed your reporter to visit the burger barn because he practices a form of penetration testing called "red teaming", wherein consultants attack clients using techniques limited only by their imagination, ingenuity, and bravado. He wanted me to break the burger-builder to probe my weaknesses before he would let The Register ride along on a red-team raid aimed at breaking into the supposedly secure headquarters of a major property chain worth hundreds of millions of dollars. Before we try for that target, Gatford, director of penetrations testing firm HackLabs, wants to know if I will give the game away during a social engineering exploit. Chris Gatford (Image: Darren Pauli / The Register) So when the McDonald's computer turns out to have been fixed and my fake system administrator act cancelled, we visit an office building's lobby where Gatford challenges me to break into a small glass-walled room containing a shabby-looking ATM. I can't see a way into the locked room.
I think I see a security camera peering down from the roof, but later on I'm not sure I did.
I can't think of a way in and I'm trying to look so casual I know I'm certain to look nervous. Time's up.

Gatford is finished with the lobby clerk. He asks how I would get in, and hints in my silence that the door responds to heat sensors. I mutter something stupid about using a hair dryer.

Gatford laughs and reminds me about heat packs you'd slip into gloves or ski boots. "Slide one of those under the crack," he says. I've failed that test but stayed cool, so Gatford decides he's happy to have me along on a red-team raid, if only because red teams seldom face significant resistance. "At the end of the day, people just want to help," Gatford says. Red alert Costume is therefore an important element of a red team raid.

For this raid, our software exploits are suits and clipboards.
Sometimes it's high-visibility tradie vests, hard hats, or anything that makes a security tester appear legitimate. Once dressed for the part, practitioners use social-engineering skills to manipulate staff into doing their bidding.

Fans of Mr Robot may recall an episode where the protagonist uses social engineering to gain access to a highly secure data centre; this is red teaming stylised.

Think a real-world capture the flag where the flags are located in the CEO's office, the guard office, and highly secure areas behind multiple layers of locked doors. By scoring flags, testers demonstrate the fallibility of physical defences. Only one manager, usually the CEO of the target company, tends to know an operation is afoot. Limited knowledge, or black-box testing, is critical to examine the real defences of an organisation. Red teamers are typically not told anything outside of the barebones criteria of the job, while staff know nothing at all.
It catches tech teams off guard and can make them look bad.

Gatford is not the only tester forced to calm irate staff with the same social engineering manipulation he uses to breach defences. Red teamers almost always win, pushing some to more audacious attacks. Vulture South knows of one Australian team busted by police after the black-clad hackers abseiled down from the roof of a data centre with Go-Pro cameras strapped to their heads. Across the Pacific, veteran security tester Charles Henderson tells of how years back he exited a warehouse after a red-teaming job. "I was walking out to leave and I looked over and saw this truck," Henderson says. "It was full of the company's disks ready to be shredded.

The keys were in it." Henderson phoned the CEO and asked if the truck was in-scope, a term signalling a green light for penetration testers.
It was, and if it weren't for a potential call to police, he would have hopped into the cab and drove off. Henderson now leads Dell's new red-teaming unit in the United States, which he also built from the ground up. "There are some instances where criminal law makes little distinction between actions and intent, placing red teams in predicaments during an assignment, particularly when performing physical intrusion tasks," Nathaniel Carew and Michael McKinnon from Sense of Security's Melbourne office say. "They should always ensure they carry with them a letter of authority from the enterprise." Your reporter has, over pints with the hacking community, heard many stories of law enforcement showing up during red-team ops. One Australian was sitting off a site staring through a military-grade sniper scope, only to have a cop tap on the window.

Gatford some years ago found himself face-to-face in a small room with a massive industrial furnace while taking a wrong turn on a red-team assignment at a NSW utility. He and his colleagues were dressed in suits.

Another tester on an assignment in the Middle East was detained for a day by AK-47-wielding guards after the CEO failed to answer the phone. Red teamers have been stopped by police in London, Sydney, and Quebec, The Register hears. One of Australia's notably talented red teamers told of how he completely compromised a huge gaming company using his laptop and mobile phone. Whether red teaming on site or behind the keyboard, the mission is the same: breach by any means necessary. Equipment check A fortnight after the ATM incident, The Register is at HackLabs' Manly office.
It's an unassuming and unmarked door that takes this reporter several minutes to spot. Upstairs, entry passes to international hacker cons are draped from one wall, a collection of gadgets on a neighbouring shelf.

Then there's the equipment area.
Scanners, radios, a 3D printer, and network equipment sit beside identity cards sporting the same face but different names and titles.

There's a PwnPlug and three versions of the iconic Wi-Fi Pineapple over by the lockpicks.

A trio of neon hard hats dangle from hooks. "What do you think?" Gatford asks.
It's impressive; a messy collection of more hacking gadgets than this reporter had seen in one place, all showing use or in some stage of construction.

This is a workshop of tools, not toys. "No one uses the secure stuff, mate." In his office, Gatford revealed the target customer. The Register agrees to obscure the client's name, and any identifying particulars, so the pseudonym "Estate Brokers" will serve.

Gatford speaks of the industry in which it operates, Brokers' clientele, and their likely approach to security. The customer has multiple properties in Sydney's central business district, some housing clients of high value to attackers.
It has undergone technical security testing before, but has not yet evaluated its social engineering resilience. The day before, Gatford ran some reconnaissance of the first building we are to hit, watching the flow of people in and out of the building from the pavement. Our targets, he says, are the bottlenecks like doors and escalators that force people to bunch up. JavaScript Disabled Please Enable JavaScript to use this feature. He unzips a small suitcase revealing what looks like a large scanner, with cables and D-cell batteries flowing from circuit boards. "It's an access card reader", Gatford says.
It reads the most common frequencies used by the typically white rigid plastic door entry cards that dangle from staffer waists.

There are more secure versions that this particular device does not read without modification. "No one uses the secure stuff, mate," Gatford says with the same half-smile worn by most in his sector when talking about the pervasive unwillingness to spend on security. I point to a blue plastic card sleeve that turns out to be a SkimSAFE FIPS 201-certified anti-skimming card protector.

Gatford pops an access card into it and waves it about a foot in front of the suitcase-sized scanner.
It beeps and card number data flashes up on a monitor. "So much for that," Gatford laughs. He taps away at his Mac, loading up Estate Brokers' website. "We'll need employee identity cards or we'll be asked too many questions," Gatford says. We are to play the role of contractors on site to conduct an audit of IT equipment, so we will need something that looks official enough to pass cursory inspection. The company name and logo image is copied over, a mug shot of your reporter snapped, and both are printed on a laminated white identity card.

Gatford does the same for himself. We're auditors come to itemise Estate Brokers' security systems and make sure everything is running. "We should get going," he says as he places hacking gear into a hard shell suitcase.
So off we go. Beep beep beep beepbeepbeep Our attack was staged in two parts over two days.

Estate Brokers has an office in a luxurious CBD tower. We need to compromise that in order to breach the second line of defences. We'll need an access card to get through the doors, however, and our laptop-sized skimmer, which made a mockery of the SkimSAFE gadget, will be the key. It is 4:32pm and employees are starting to pour out of the building.

Gatford hands me the skimmer concealed in a very ordinary-looking laptop bag. "Go get some cards," he says. Almost everyone clips access cards on their right hip.
If I can get the bag within 30cm of the cards, I'll hear the soft beep I've been training my ear to detect that signals a successful read. Maybe one in 20 wear their access cards like a necklace. "Hold your bag in your left hand, and pretend to check the time on your watch," Gatford says.

That raises the scanner high enough to get a hit. I'm talking to no one on my mobile as I clumsily weave in and out of brisk walking staff, copping shade from those whose patience has expired for the day.

Beep.

Beep.

Beep, beep, beep, beep, beepbeepbeepbeep.

There are dozens of beeps, far too many to count.

Then we enter a crowded lift and it's like a musical.
It's fun, exhilarating stuff.

The staff hail from law firms, big tech, even the Federal Government.

And we now have their access cards. Estate Brokers is on level 10, but we need a card to send the lift to it. No matter, people just want to help, remember? The lady in the lift is more than happy to tap her card for the two smiling blokes in suits.

Gatford knows the office and puts me in front. "Walk left, second right, second left, then right." I recite it. With people behind us, I walk out and start to turn right, before tightening, and speeding up through the security door someone has propped open. We enter an open-plan office. "They are terrible for security," I recall Gatford saying earlier that day.
It allows attackers to walk anywhere without the challenge of doors. Lucky for us.

Gatford takes the lead and we cruise past staff bashing away their final hour in cubicles, straight to the stationery room. No one is there as Gatford fills a bag with letter heads and branded pens, while rifling through for other things that could prove useful. We head back to the lobby for a few more rounds of card stealing. Not all the reads come out clean, and not all the staff we hit are from Estate Brokers, so it pays to scan plenty of cards. "Look out for that guard down there," Gatford says, indicating the edge of the floor where a security guard can be seen on ground level. "Tell you what, if you can get his card, I'll give you 50 bucks." "You're on," I say. The guard has his card so high on his chest it is almost under his chin.

At this point I think I'm unbeatable so after one nerve-cooling circuit on the phone, I walk up to him checking my watch with my arm so high I know I look strange.
I don't care, though, because I figure customer service is a big thing in the corporate world and he'll keep his opinions to himself.
I ask him where some made-up law firm is as I hear the beep. Silver tongue It is 8:30am the next day and I am back in Gatford's office. We peruse the access cards. He opens up the large text file dump of yesterday's haul and tells me what the data fields represent. "These are the building numbers; they cycle between one and 255, and these are the floor numbers," he says.

There are blank fields and junk characters from erroneous scans. He works out which belong to Estate Brokers and writes them to blank cards.

They work. More reconnaissance.

Estate Brokers has more buildings that Gatford will test after your reporter leaves. He fires up Apple Maps, and Google Maps Street View. With the eyes of a budding red teamer I am staggered by the level of detail it offers.

Apple is great for external building architecture, like routing pathways across neighbouring rooftops, Gatford says, while Google lets you explore the front of buildings for cameras and possible sheltered access points.
Some mapping services even let you go inside lobbies. Today's mission is to get into the guards' office and record the security controls in place.
If we can learn the name and version of the building management system, we've won.

Anything more is a bonus for Gatford's subsequent report. We take the Estate Brokers stationery haul along with our access cards and fake identity badges and head out to the firm's second site. "Don't hesitate, be confident." But first, coffee in the lobby. We chat about red teaming, about how humans are always the weakest link. We eat and are magnanimous with the waiting staff.

Gatford gets talking to one lady and says how he has forgotten the building manager's name. "Jason sent us in," he says, truthfully. Jason is the guy who ordered the red team test, but we don't have anything else to help us.

The rest is up to Gatford's skills. It takes a few minutes for the waitress to come back.

The person who she consulted is suspicious and asks a few challenging questions. Not to worry, we have identity cards and Gatford is an old hand.
I quietly muse over how I would have clammed up and failed at this point, but I'm happily in the backseat, gazing at my phone. We use the access cards skimmed the day earlier to take the lift up to an Estate Brokers level.
It is a cold, white corridor, unkempt, and made for services, not customers.

There's a security door, but no one responds to our knocks.

There are CCTV cameras. We return down to the lobby. Michael is the manager Gatford had asked about. He is standing at the lifts with another guy, and they greet us with brusque handshakes, Michael's barely concealed irritation threatening to boil over in response to our surprise audit. He rings Jason, but there's no answer.
I watch Gatford weave around Michael's questions and witness the subtle diffusion.
It's impressive stuff. Michael says the security room is on the basement level, so we head back into the lift and beep our way down with our cards. This room is lined with dank, white concrete and dimly lit. We spy the security room beaming with CCTV. "Don't hesitate, be confident," Gatford tells me. We stride towards the door, knock, and Gatford talks through the glass slit to the guard inside. Gatford tells him our story. He's a nice bloke, around 50 years old, with a broad smile.

After some back-and-forth about how Jason screwed up and failed to tell anyone about the audit, he lets us in. My pulse quickens as Gatford walks over to a terminal chatting away to the guard.

There are banks of CCTV screens showing footage from around the building.

A pile of access cards.
Some software boxes. I hear the guard telling Gatford how staff use remote desktop protocol to log in to the building management system, our mission objective. "What version?" Gatford asks. "Uh, 7.1.
It crashes a lot." Bingo. Day one, heading up in a crowded lift.
Shot with a pen camera I look down and there are logins scrawled on Post-it notes. Of course.
I snap a few photos while their backs are turned. Behind me is a small room with a server rack and an unlocked cabinet full of keys.
I think Gatford should see it so I walk back out and think of a reason to chat to the guard.
I don't want to talk technology because I'm worried my nerves will make me say something stupid.
I see a motorbike helmet. "What do you ride?" I ask. He tells me about his BMW 1200GS. Nice bike.
I tell him I'm about ready to upgrade my Suzuki and share a story about a recent ride through some mountainous countryside. Gatford, meanwhile, is out of sight, holed up in the server room snapping photos of the racks and keys. More gravy for the report. We thank the guard and leave.
I feel unshakably guilty. From the red to the black Gatford and I debrief over drinks, a beer for me, single-malt whiskey for him. We talk again about how the same courtesy and acquiescence to the customer that society demands creates avenues for manipulation. It isn’t just red teamers who exploit this; their craft is essentially ancient grifts and cons that have ripped off countless gullible victims, won elections or made spear phishing a viable attack. I ask Gatford why red teaming is needed when the typical enterprise fails security basics, leaving old application security vulnerabilities in place, forgetting to shut down disused domains and relying on known bad practice checkbox compliance-driven audits. "You can't ignore one area of security just to focus on another," he says. "And you don't do red teaming in isolation." Carew and McKinnon agree, adding that red teaming is distinct from penetration testing in that it is a deliberately hostile attack through the easiest path to the heart of organisations, while the former shakes out all electronic vulnerabilities. "Penetration testing delivers an exhaustive battery of digital intrusion tests that find bugs from critical, all the way down to informational... and compliance problems and opportunities," they say in a client paper detailing aspects of red teaming [PDF]. "In contrast, red teaming aims to exploit the most effective vulnerabilities in order to capture a target, and is not a replacement for penetration testing as it provides nowhere near the same exhaustive review." Red teaming, they say, helps organisations to better defend against competitors, organised crime, and even cops and spys in some countries. Gatford sells red teaming as a package.

Australia's boutique consultancies, and those across the ditch in New Zealand, pride themselves on close partnerships with their clients.

They point out the holes, and then help to heal.

They offer mitigation strategies, harass vendors for patches, and help businesses move bit by bit from exposed to secure. For his part, Gatford is notably proud of his gamified social engineering training, which he says is designed to showcase the importance of defence against the human side of security, covering attacks like phishing and red teaming. He's started training those keen on entering red teaming through a three-day practical course. "Estate Brokers", like others signing up for this burgeoning area of security testing, will go through that training.

Gatford will walk staff through how he exploited their kindness to breach the secure core of the organisation. And how the next time, it could be real criminals who exploit their willingness to help. ®