Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Mongrel]

*writes down Thad's debit PIN for future reference*

...

Wait... I you haven't got any money!

[Thad]

If my PIN were the address of a place I hadn't lived in years, I'm sure Demogorgon would have cleaned me out by now.

[Rico]

Two things, more likely; most people combine four-digit numbers into sets of two.  My address growing up was ten twenty-four, not one zero two four.

Similarly, it's really irritating if someone leaves you a phone number on a voicemail and doesn't follow the proscribed 123--45--67 rhythm.

[Smiler]

This is my favorite thing said about Lulzsec so far:

This is what would have happened if the A-Team were headed by Murdoch.

[Thad]

Wired via Ars: How digital detectives deciphered Stuxnet, the most menacing malware in history

It's an interesting damn read, just how complex and targeted an attack it was and the steps that security researchers took to figure out what it really was.

It's also got that nice element of moral ambiguity to it -- you can't really pick the "good guys" between the intel agents trying to covertly sabotage Iran's nuclear program and the security researchers who blew the plan open because computer security is bigger than national borders.

[Mongrel]

Oh hey, lost in the shuffle is the fact that the ISP browsing information retention bill passed

"We're not China yet, but we're working on it."

[Thad]

Wonder how long until the courts throw it out.

[Thad]

...so that giant, terrifying compromise of RSA's entire library of private keys?

Somebody opened an E-Mail with a really, really obvious virus attachment.

After the filters had already stuck it in the Junk folder.

I am trying to produce some kind of comment on this revelation but the only sound that's coming out of my mouth is a sort of incredulous squeak.

[Brentai]

Proving once again WHY no security system can ever be perfect.  I mean, until all the monkeys are exterminated.

[Thad]

Craig S Wright at InfoSec Island: SCADA Systems Are Online Now.  For the laymen: SCADA = Supervisory Control And Data Acquisition, and typically refers to physical control systems.

For those not afraid of flying yet:

A while back now, but many of the same systems are in place in the same way, I was contracted to test the systems on a Boeing 747. They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 - VLANs. We managed to break the VLANs and access other systems and with source routing could access the Engine management systems.

The response, "the engine management system is out of scope."

For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is... I need not say more.

(via)

[Thad]

In case there was any doubt that the era of insutrial sabotage via SCADA cracking had begun:

Hackers destroy water pump in SCADA attack

Russians, apparently.

And while I don't buy the "cyberwarfare" histrionics the media like to indulge in, we're going to start seeing a lot more of this shit.

[Mongrel]

In case you ever wondered what the top 25 most-hacked passwords were

I've linked the globe re-post rather than the source article because the globe article numbered their list. The original is linked in the globe article.

#6 is kind of interesting. I bet the users of #9 think they're DOHOHO clever.

[Thad]

hacked

[Büge]

Spaceballs Luggage Password

[Mongrel]

hacked

[Thad]

Google implements forward secrecy for search traffic.  In other words, keys aren't (entirely) stored, and traffic can't be decrypted after the fact.

Basically, if you sniff some encrypted packets and then later get your hands on the private key used to encrypt them, you still can't decrypt them.

Course, that means that instead of sniffing packets ahead of time and getting a key later, the person who hypothetically breaks into Google will be looking specifically for search data.  But still and all, a good step forward.

[Friday]

About a year ago, I had to explain to my mom why adding a "1" after her password didn't make it secure.

A week ago I learned she changed it to a "2".

[Thad]

Doctorow: Sprint phones preloaded with keylogging rootkit.

[Brentai]

...huh.  I don't know if it shows up during OTA updates but I'm still very glad I broke those a year ago.

Good reason to switch carriers; can someone tell me which one is least certain to stoop to that level?

[TA]

It's a bit more involved than just "Sprint puts a rootkit", and it's not really a rootkit, but yeah, throwing pretty much any custom ROM on a phone will cancel that out.