-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 very thought provoking as usual bro thank you for your contributions to our list!
On Thu, 18 Oct 2007 15:16:08 -0400 worried security <[EMAIL PROTECTED]> wrote: >On 10/18/07, [EMAIL PROTECTED] <full- >[EMAIL PROTECTED]> >wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I thought the main reasons for intrusion were fun and/or profit. > I >> don't see them on your list anywhere. >> >> I think your list sucks. > > >the no.1 threat to corporate and national security is infact the >inside job. > >yep folks, terrorists are actively seeking to trick the job >vetting >processes for power plants,government etc etc. > >because the terrorists know the key systems aren't connected to >the >internet. > >but after reading media reports, it seems the department of >homeland >security are thinking if we're not connected to the internet then >we're >safe. > >no, even permanently offline systems, still need to be patched >from internet >threats, because terrorists are actively seeking to get into key >infrastructure jobs with portable disks to infect computers with >the latest >0-day posted to places such as Full-Disclosure. > >yep folks, all security pros on here will have seen the dhs >propaganda video >by now about the turbine getting shutdown with a cyber attack, and >the dhs >are focusing on internet facing systems, but the real threat to >corporate >and national security is the inside job of permanently offline >systems that >the power plants, government etc etc think are safe and don't need >patched. > >what i'm saying is, for example, i'm not saying they use microsoft >for key >infrastructure systems, but a permanently offline system still >needs to be >fully patched after every patch tuesday, even though that system >is >permanently offline and will never ever be connected to the >internet. > >that is my key problem i'm seeing right now by the government in >respect of >cyber security, they are assuming an internet conenction needs to >be there, >but that isn't entirely true. > >if mr joe jobs wanna be terrorist manages to trick your job >vetting >processes and gets a job with access to the key systems, yes >folks, >terrorists haven't got time to fiddle around with computers, they >will >download exploit code from Full-Disclosure type sources and throw >it on a >portable disk, then go for an inside job social engineering trick >and get >into a power plant, government etc etc job. > >so having your permanently offline key infrastructure not patched >every >patch tuesday for example, is pretty bad, because if your >permanently >offline systems had been patched, then mr joe jobs wanna be >terrorist >wouldn't of been able to plug in a portable disk into your systems >based on >a 0-day exploit originally posted on Full-Disclosure and shut the >place >down. > >while the internet is one way to get exploit code into your >network, its not >the only way. > >joe jobs wanna be terrorist would rather do an inside job, than >fiddle >around with computers all day. > >in short your permanently offline systems still need to be patched >every >patch tuesday. > >do the power plants, government etc etc have their patches upto >date for >permanently offline systems? ;) they assume only internet facing >systems >need to be patched from internet threats, but that is their >delusion not >mine. > >like in this link, http://www.news.com/8301-10784_3-9799403-7.html >they keep >saying "cyber" as in internet... but the truth is a terrorist >attack to take >out key power plants, government etc etc would come from the >inside job... > >the government are wasting their time with the whole "cyber" >security thing, >while the exploit code carried on portable disks would originate >from >internet sources and that that exploit code may of originally >needed an >internet connection, that is not entirely true if portable disks >are used >and the joe jobs wanna be terrorists target permanently unpatched, >permanently offline systems. > >did you sit smuggly in your control rooms smiling at that >permanently >offline system and think, hey, nothing posted on Full-Disclosure >can touch >this? think again. > >thanks, > >n3td3v -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcXuxoACgkQqTTbVuUWvbK8qgP9EdGeONLdpIBNT4CHKVQhlSTPk9rB 4JaPConScV37vF2WRpB+YiT1PLyL473HB4NNz/MENy4NEgs0G1RTVPcA4P3+nFy2ewro 3QdzV9lFyrzgzvCfjCBdk2bjI5nKpSwFSyg8a2AZMm2XqQqQrluS8SjKpp5nmJbUN24h FPuprmU= =h1Uf -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
