GCHQ's National Cyber Security Centre opens for business following delays

Discussion in 'Current Affairs, News and Analysis' started by Murphy_Slaw, Feb 14, 2017.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Sarastro

    Sarastro LE Reviewer Book Reviewer

    Interesting blog, anyway. I thought he was saying something massively controversial but possibly true about DNS filtering, then I re-read it and realised he was saying the opposite.

    Also, this:

    Sounds perfectly reasonable in theory, but is hugely problematic in practice, and I don't see how they are going to solve it to anyone's satisfaction without a lot of reasonable objection from users. The paranoid-but-often-correct part of me also thinks it would be very easy to include, say, users of certain outdated FTP, P2P and I2P protocols into that mix...
    Last edited: Jul 27, 2017
  2. Wordsmith

    Wordsmith LE Book Reviewer

    Ultimately cyber security depends on the people that implement it and how savvy the users are. Both can be outstandingly dumb.

    Earlier this week I emailed a certain local council suggesting it might not be the brightest of ideas to have its recent penetration test results accessible from the internet. (Somehow Google had managed to index the document). Answer came there none.

    A lot of organisations can't even get the basics right. They have the classic user name enumeration/weak password policy/no account lockout combination on their website. Something that can be exploited by even the dumbest hacker.

    Cross site scripting is rife, with XML External Entity (XXE) attacks coming up on the rails. Clear text data transmission is another favourite, as is publicly exposing admin interfaces and not having effective AV software.

    The problem is cyber security is seen an an overhead by most commercial companies - and they tend to spend as little as they can get away with. Your average script kiddie or casual hacker may not bother with a lot of the websites. If the companies are significant enough, a state sponsored hacker might.

    • Informative Informative x 2
  3. rampant

    rampant LE Reviewer Book Reviewer

    If asking dumb questions was a crime, most of us on this site would have been banged up for life along time ago.

    Cyber is not really my field, are we still utilising Tiger Teams and "outside contractors"?
  4. Sarastro

    Sarastro LE Reviewer Book Reviewer


    Completely agree. Even the supposed professionals are astonishingly bad at times. A while ago I was running some training in, for want of a better description, vulnerability assessment. As a final exercise we used the host organisation (high level professional organisation) as a target. Students with a few days training managed, within a couple of hours, using just the public-facing website as a start point, to correctly identify: a discreet physical location; two undisclosed attached organisations, including positive proof of a link; a whole mess of accessible unlisted sub-domains; including a couple on which a secret web portal was hosted, and managed to log in using predictably default passwords. The same web portal login box also yielded a huge long error message with lots of useful info (including database key strings), without even using a SQL injection.

    At which point, I stopped the exercise, and started writing an email headed "URGENT:".

    I would also say, a great example of the depth of problems is:

    Part of the reason for that is that the standard industry recommendations, including those taught on CISP, are wrong. This XKCD panel explains why perfectly:


    The problem is also that most "IT Security professionals" or people who are trained in this stuff are basically not competent, for example the relatively simple calculations of the cryptography behind the above are way beyond them, and they don't actually understand how password cracking works. Observationally, this is because the vast majority of them are ex-20th century security professionals of some kind (military, plod, whatever) who realised they had to retrain, and did so in a system that rewards box-ticking over understanding, competence or expertise. So you have a load of old fudders who have gotten their CISP or other tick in the box, but know about as much as Jon Snow. As a result, companies think they are implementing good practice, when in fact they are making bad and ineffective rules that simply haven't caught up to reality, because reality - in this area - moves too fast.

    This is broadly going to be the weakness behind the centralised, NCSC approach to national cybersecurity. Yes, it will improve the low-hanging fruit, and that will have an impact. The high-level stuff is already broadly taken care of. But it is going to have real difficulty changing the fact that the middle ground of security problems are really caused by organisational culture issues with change, personnel and responsiveness, and a centralised push-driven approach to solving those simply won't work, as it hasn't worked so far.
    • Like Like x 1
    • Informative Informative x 1
  5. A2_Matelot

    A2_Matelot LE Book Reviewer

    Because ""working behind the scenes to improve the underpinning technologies" and "Go looking for badness and take it down" is indicative of action not just policy and advice.
  6. Sarastro

    Sarastro LE Reviewer Book Reviewer

    You're really missing the subtleties of my point.
  7. So what happened when the NHS was taken down in May?
    • Like Like x 1
  8. Don't forget the other two XKCD strips relevant to the subject at hand, mentioned in threads long gone by... specifically regarding compromise by other means...

    Protective security top-tips

    ICT Acquisition - a tale of woe
    • Informative Informative x 1
  9. A2_Matelot

    A2_Matelot LE Book Reviewer

    In what way?
  10. A2_Matelot

    A2_Matelot LE Book Reviewer

    Err no, 'tis you that I think misses mine....
  11. Wordsmith

    Wordsmith LE Book Reviewer

    The answer is indeed complex and will have to be multi faceted.

    I've always been taken with Bruce Schneier's suggestion that software companies should be made legally liable for faults in their software, much like car companies are responsible for selling a product that has been safely designed and put together. At present a software company can put out a product with glaring security holes and not be legally liable if the end user gets breached because of it. Make the software company legally liable and maybe they'd make their software a bit more secure.

    Ship the software with a strong default configuration and require the company installing it to keep a risk register if they relax that default configuration and so on. Even better, hard code in requirements so you can't configure the software below certain minimum standards - for example all passwords must be a minimum of 8 characters long, have a mixture of upper case letters, lower case letters, numbers, special characters and and can't use any of (say) 500 common dictionary words as a base for the password.

    It'll take a holistic approach like the above to make some form of impact on the problem.

  12. I'm sure @Higgs_bosun will Be along shortly to put you all right
    • Show again braincell Show again braincell x 1
  13. Will he be calling us "mongs" and will there be chickens?

    Sent from my SM-N910F using Tapatalk
    • Like Like x 1
    • Show again braincell Show again braincell x 1
  14. When you say software companies are you referring to all companies or just the big players like microsoft etc.

    I ask as I constantly hear about problems with apps and software where the client has specified things have to work a certain way that then lead to completely predictable problems.
  15. I would say its allot more to do with drone security shows such as 24 etc depict ate an enemy that could take over a drone remotely while the thought of this would be a terrifying prospect how would they be able to regain control a quick manor to avert disaster.