Layered defence. These days, why do you have anything unauthenticated anywhere? Every system should be authenticated and authorized. Unless information is fully public.
Because of that one cobbled together system, or old network MFP that sends to mail, that's needed for a whole bunch of stuff, can't authenticate, and someone decided it's too expensive to replace for such a small attack surface. Until the problem costs more than the solution large organizations don't move by design. This is usually officially the benchmark: what costs more.
In my experience, there’s a random server that nobody knows who maintains it offhand, including the person who maintains it. People ask, and it just doesn’t go anywhere. Until something like this happens. It’s nothing to do with costs, its just an oversight
> there’s a random server that nobody knows who maintains it offhand, including the person who maintains it
It makes no sense that you'd keep an insecure service because you forgot someone needs it. You turn it off and the reminder will promptly come to you. After this it's a decision, not oversight.
> It’s nothing to do with costs, its just an oversight
The article suggests that their internal unauthenticated SMTP was there by design, not oversight, together with an authenticated (presumably external) one. Some assessment deemed addressing the risk from the unauthenticated internal one not worth the cost and effort.
> People connecting through our VPN have access to an internal-only SMTP gateway machine that doesn't require SMTP authentication [...] previous phish spammers have exploited some combination of webmail and authenticated SMTP.
> It makes no sense that you'd keep an insecure service because you forgot someone needs it. You turn it off and the reminder will promptly come to you. After this it's a decision, not oversight.
You’re assuming an org that had a policy my in place for this which was followed all along, and not that it’s a piecemeal service barely held together by dreams and prayers. My experience with university It departments is there’s an _incredible_ amount of “dunno who that belongs to but don’t touch it because it might be important” going on.
> there’s an _incredible_ amount of “dunno who that belongs to but don’t touch it because it might be important”
Right, so not an oversight, but a decision not to touch the obscure system. Decisions with bad outcome aren't oversight unless you want to downplay them when justifying yourself.
Your SMTP gateway is never "that" system that nobody knows about. You must know who owns and manages it, you know you have to secure it (minimal measures like... authentication) so you don't get unceremoniously penetrated. And if you do it you may or may not realize that something will fail because of the extra security.
If you know that "one cobbled together system, or old network MFP" I was mentioning earlier will fail when you enforce authenticated SMTP, because it's too old and replacing it is $$$, or too arcane and bringing an expert is $$$ then you will take an informed decision whether to proceed with your security hardening or not.
If you have no idea something will fail (you didn't catch it in the dry runs) if you enforce authenticated SMTP, you just do it and if someone comes in a frenzy to tell you that the old and arcane system is down then you revert the change. Now on you're in the informed decision scenario from above.
This is not a minor omission. Leaving a glaring insecurity like this open by oversight isn't what the article suggests happened, and it almost never never the case. It's not something that "just happens", it's something that people meet to discuss about and decide to ignore it maybe for reasons that look good at the time. This is the essence of risk taking. But it's a decision nonetheless.
1. Carefully establish the one critical data flow the whole business depends on. It may cost some time, but this one you have to protect by all means, so stakeholders won't mind.
2. As for the rest, take them down one by one and see what breaks. Got a call to internal support hotline? "Ooops, sorry, we will turn it on and let's chat about it soon."
There can be a few announcements in advance to shift the blame before (2): "Declare yourself or face consequences" (ChatGPT will write a nicer email). If you are on good terms with CFO, the noise won't matter. In fact, many people will thank you, when their weird stuff is taken over for care by IT.
Imagine having to type your password for every single shell command you execute. Not just for the line you typed, but per statement. A subshell counts as at least one; so does each segment of a pipe. Then, if any of those statements run a shell script, this applies recursively. Then, for any actutal program that runs, you have to confirm every syscall with a password too.
That's what "every system should be authenticated and authorized" feels like in the limit. So in practice, it always boils down to how deep you go before the overhead starts to eclipse any benefit you get from running the system.
Unfortunately basically every business i support has some horrible app that takes an ip address and expects to be able to send unauthenticated email to it. If it's not payroll software, it's hr or legal software.
Old java based application that doesnt respect all email flags and will often just close the connection even mid successful auth.
New server that lives in the cloud, but doesnt match up with the right protocols to send email out of Azure and into 365, so its punted down to on prem and back up to 365 just so Microsoft can sleep better at night.
Cars are insured and the consequences of a stolen car are not very high. Big difference from losing your retirement account or proprietary ip of a business.
Consequences of a stolen car are directly obvious and noticeable, and we can't get some people to apply security there. How do you think that's going to work in a system with so many levels of abstraction and typically huge numbers of people involved?
Cars are not stolen very often. Sure you can look up national statistics and find large numbers, but for the average person (who generally isn't in a "bad neighborhood") it something that only happens in movies.
That seems pretty relative. The consequences are probably high enough for most people. You have the hassle of not having a car, then getting a rental, dealing with your insurance, eventually getting a check for what similar used cars go for, which may be in worse condition and who-knows-what mechanical condition, so then if you want a car that you can (pretty much) trust, you have to buy new which is an unplanned expense. If you're not in a good position financially, it can f things up for you. Especially if you have personal belongings in the car which are not replaceable and probably won't get full value for if you even think to report it to your insurance such as sunglasses, USB cable, emergency seat-belt cutter, first aid kit, tire iron (if you don't want to use the crap one that came with the car), floor liners, seat covers, etc.
OK. You’re gonna lose $100-$200 worth of crap in your car and possibly pay out a $1000 deductible. How does it remotely compare to losing your retirement account or say having all your nude photos sent to your contact list?
For some people, maybe they can't afford to lose $1000-$1500 and the time, all which might be a bigger deal than some nudes getting out.
For myself, my personal and professional contact lists wouldn't be pleased, and I would apologize to them, but it's not going to cause me to lose any money. I'm certainly not going to be embarrassed about nudity or body shape/condition. Everyone is nude under their clothes, and other people have the same body shape or maybe even medical conditions. (Unhygienics is something else though, and that would be unpleasant.)
Also, I don't let anyone take nudes of me, nor do so myself, because it's just easier to assume that anything digital might be hacked one day.
Huh? This has nothing to do with the unsubscribe-header thingy. This is about when you for example provide a URL that contains a token in an email, which you exchange for an authentication token once the user visits the URL. Some people implement that page to automatically do the exchange on page load, instead of waiting for the user to click on a button.
Yes, but you can perform the essential functions with buttons on the GTN650 or 750 (or xi). Frequency changes, direct to, etc are all still accessible on physical buttons, which makes a big difference in turbulence.
> By saying China's using Tik Tok to subvert "democracy," aren't we really saying voters are not individual agents but rather a mob subject to manipulation by propaganda?
Well, we don't know what was said in the classified meetings, but yes, we know that propaganda works.
> “I think that would be, certainly, an option that we look at. The 90-day extension is something that will be most likely done, because it’s appropriate. You know, it’s appropriate. We have to look at it carefully. It’s a very big situation,” Trump told the outlet.
I would have thought that indeed, they have looked at it already carefully.
I guess the counterpoint here is that we have lots of data how external actors (e.g. Russia) is influencing large parts of the political landscape in Europe right now.
reply