hate these ads?, log in or register to hide them
Page 33 of 37 FirstFirst ... 2330313233343536 ... LastLast
Results 641 to 660 of 737

Thread: Antivirus is shit, everything is compromised, etc etc (Cybersecurity thread)

  1. #641

    Join Date
    April 14, 2011
    Posts
    6,743
    Quote Originally Posted by XenosisMk4 View Post
    Would that even be enforceable?

    It's like saying you can't publish how long it takes to get from 0-60 in a car
    Good morning, welcome to the computing industry. This is actually standard practice.

  2. #642
    Daneel Trevize's Avatar
    Join Date
    April 10, 2011
    Location
    T L A
    Posts
    12,421
    Fuck Oracle too, as usual.
    Quote Originally Posted by QuackBot View Post
    Idk about that, and i'm fucking stupid.

  3. #643
    Donor Sparq's Avatar
    Join Date
    April 11, 2011
    Location
    Strayastan
    Posts
    9,516
    MEGA Chrome Extension Hacked To Steal Login Credentials and CryptoCurrency

    ~ this potentially bit me as I found I still had it installed & active from some time ago. When I checked it, the increment was 3.39.5 and I never got the behavior reported where it asked for elevated permissions - but I've changed my Amazon & Google passwords as a precaution.

    They have a go @ Google, too

    They go to further state that since Google removed the ability for publisher's to sign their extensions and must instead rely on Google signing them after the extension is uploaded, it makes it easier for external compromises to occur.

    "We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible," the blog post continued. "Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."

  4. #644

    Join Date
    April 14, 2011
    Posts
    6,743
    Word on the street is this BA breach is a total catastrofuck. Complete payment card details compromise for two weeks.

  5. #645
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,598
    Quote Originally Posted by Sparq View Post
    "We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible," the blog post continued. "Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well."
    Glorious Firefox master race?
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  6. #646

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,455
    Quote Originally Posted by elmicker View Post
    Word on the street is this BA breach is a total catastrofuck. Complete payment card details compromise for two weeks.
    betting on card details and 3 digit codes in plain text, in the same table as the rest of the user data ?
    Please don't teach me what to do with my pc.

  7. #647

    Join Date
    April 14, 2011
    Posts
    6,743
    Quote Originally Posted by Itiken View Post
    Quote Originally Posted by elmicker View Post
    Word on the street is this BA breach is a total catastrofuck. Complete payment card details compromise for two weeks.
    betting on card details and 3 digit codes in plain text, in the same table as the rest of the user data ?
    I'd doubt it. BA are pretty bad in some ways but not that bad. The way they're specifically talking about transactions within a specific time period lead me to think something in the web infrastructure (e.g. rogue library, hijack, MITM etc.) has been done in. If they compromised a database they'd have its full contents, not just transactions between two very specific points in time. They're also very explicit - the data were compromised. No weasel words about "potential compromise" or someone "having access"

    "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised..."

  8. #648
    Cosmin's Avatar
    Join Date
    March 14, 2012
    Location
    UK
    Posts
    6,174
    You know that from 1st hand experience? Because fk me, but companies have lied before and continue to do so, if it's written BA on the side of the building it doesn't mean they didn't outsource shit to morons who in turn didn't give a shit in securing their clients' data.

    I would not be surprised at all if those details were stored in plain text, because that's how big companies work, right?
    Guns make the news, science doesn't.

  9. #649
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,516
    Quote Originally Posted by Cosmin View Post
    You know that from 1st hand experience? Because fk me, but companies have lied before and continue to do so, if it's written BA on the side of the building it doesn't mean they didn't outsource shit to morons who in turn didn't give a shit in securing their clients' data.

    I would not be surprised at all if those details were stored in plain text, because that's how big companies work, right?
    I don't think you know how big companies work

  10. #650

    Join Date
    May 31, 2011
    Posts
    4,231
    Quote Originally Posted by XenosisMk4 View Post
    Quote Originally Posted by Cosmin View Post
    You know that from 1st hand experience? Because fk me, but companies have lied before and continue to do so, if it's written BA on the side of the building it doesn't mean they didn't outsource shit to morons who in turn didn't give a shit in securing their clients' data.

    I would not be surprised at all if those details were stored in plain text, because that's how big companies work, right?
    I don't think you know how big companies work
    And I think you have no idea of how slim margins are in the tourism/airline industry. Shaving off every cent wherever possible is all I'm seeing left and right for decades. Thanks to all the customers who were flogging to the Ryaniars of this world, so that any real airline had to scale down their cost structure.

    I'm not an hacker at all or a Java programmer, so correct me please, if I'm wrong. but e.g. Amadeus (the global flight bookings reservation systems) has offered a version of their software called "Mobility Pack". Which basically was Citrix session running on their servers in München Erding. And they did expose the Java Console to the Citrix session. I'm pretty sure that's shouldn't be the case and someone with the right skills may have been able to do something there with it.

    Also - for a long time the filekey (= 6 character booking code) was all you need to view any of their bookings online.

  11. #651

    Join Date
    April 14, 2011
    Posts
    6,743
    You can retrieve any booking from any airline with the correct 6 letter code and the surname.

    That's got nothing to do with payments infrastructure, PCI compliance or the fact that lying about data breaches is now a very serious criminal offence.

    Also, I was exactly right - web libraries compromised by a targeted attack.

  12. #652
    Cosmin's Avatar
    Join Date
    March 14, 2012
    Location
    UK
    Posts
    6,174
    Quote Originally Posted by elmicker View Post
    You can retrieve any booking from any airline with the correct 6 letter code and the surname.

    That's got nothing to do with payments infrastructure, PCI compliance or the fact that lying about data breaches is now a very serious criminal offence.

    Also, I was exactly right - web libraries compromised by a targeted attack.
    Haven't seen any execs put in prison over the recent years' breaches that were addressed with "please disperse, nothing to see here" which in turn turned out to be awful leaks of personal data.
    Guns make the news, science doesn't.

  13. #653

    Join Date
    May 31, 2011
    Posts
    4,231
    Quote Originally Posted by elmicker View Post
    You can retrieve any booking from any airline with the correct 6 letter code and the surname.
    Not any longer: https://www.checkmytrip.com/cmtweb/w...ng.html#/login

  14. #654
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,598
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  15. #655
    Donor Sparq's Avatar
    Join Date
    April 11, 2011
    Location
    Strayastan
    Posts
    9,516
    Gonna be interesting to see the knock-on effects of "lol use Facebook to sign in to X service" on this.

    Today,

    The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

    The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
    ~ I think a lot of people have a mental image of Chinese supply chain sabotage of hardware as akin to finding the Little Red Book duct-taped to the back of a motherboard: amateurish Middle Kingdom bullshit. Contrary to that, this sounds technically quite impressive a feat. It'll be interesting to see what if any long term repercussions are for Chinese manufacturing, if plenty big companies get the willies and ditch the Mainland as a result of this story doing the rounds.
    Last edited by Sparq; October 5 2018 at 03:56:09 AM.

  16. #656

    Join Date
    May 31, 2011
    Posts
    4,231
    I think a lot of people have a mental image of Chinese supply chain sabotage of hardware as akin to finding the Little Red Book duct-taped to the back of a motherboard: amateurish Middle Kingdom bullshit. Contrary to that, this sounds technically quite impressive a feat.
    Indeed. In most minds - often in mine, too - China's still a 3rd world country. Which might even be still true for lots of parts. But when it comes to (any kind of) technology, they're either bridging the gap pretty fast, are already at the same level as the west or even have overtaken us.

    The next Google/Amazon/Intel etc. will be, or perhaps already is, founded in China.

  17. #657
    Donor
    Join Date
    April 9, 2011
    Posts
    1,363
    Quote Originally Posted by Sparq View Post
    ~ I think a lot of people have a mental image of Chinese supply chain sabotage of hardware as akin to finding the Little Red Book duct-taped to the back of a motherboard: amateurish Middle Kingdom bullshit. Contrary to that, this sounds technically quite impressive a feat. It'll be interesting to see what if any long term repercussions are for Chinese manufacturing, if plenty big companies get the willies and ditch the Mainland as a result of this story doing the rounds.
    It's an interesting story, on multiple layers. The technical side is absolutely feasible and not as hard as it might seem. The challenge is getting the IC they used (presumably a very basic microcontroller with an SPI interface and some flash) into a small enough package that it could be mistaken for a resistor network or some other passive component. That would require a custom part with quite advanced packaging.

    Getting the PCB manufacturer to alter the board layout and the assembly house to place the extra part on the board, without the design customer being aware of it, is unprecedented. If the Chinese government has that level of penetration into the contract electronics industry then absolutely no device manufactured in China, or that contains any parts manufactured in China, can be trusted.

    I don't think China's electronics industry will see a notable effect in the short term, most of their western customers are just looking to make disposable gadgets as cheaply as possible. For them the US tariffs are a way bigger deal than security problems. But anyone building secure hardware should be producing it in the US or Europe, making sure their supply chain goes nowhere China has influence, and validating random samples. Slicing the top from chips and examining the die to make sure they are what they are supposed to be.

  18. #658

    Join Date
    May 31, 2011
    Posts
    4,231
    Quote Originally Posted by Bombcrater View Post
    But anyone building secure hardware should be producing it in the US or Europe, making sure their supply chain goes nowhere China has influence, and validating random samples. Slicing the top from chips and examining the die to make sure they are what they are supposed to be.
    Erhm ... at least after Snowden et al I don't think that's a valid statement. It's more like the old wisdom applies: "If you want to get it done right, you have to do it yourself".

  19. #659

    Join Date
    May 31, 2011
    Posts
    4,231
    It'll be fun to see which side is right here, as both sides quite heavily "invested" in their side of the story.

    Meanwhile elsewhere people also have a look at it and come to different conclusions. This one caught my attention.
    “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” said the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ. AWS refers to Amazon Web Services, the company’s cloud-computing unit.

    [...]

    Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc (SMCI.PK), a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.

    “I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”

    Baker and the FBI declined to comment Friday.
    Source: https://in.reuters.com/article/china...-idINKCN1MF1CU

    I'm not familiar enough with "business speak" as to be able to tell what type of position "general counsel" is and if it's therefore worth noting these statements. But there's two actual names attached to it.

  20. #660
    XenosisMk4's Avatar
    Join Date
    July 13, 2017
    Location
    More turbo-lightspeed neoliberal platitudes/virtue signaling/misplaced priorities on full display.
    Posts
    5,516
    Quote Originally Posted by Hel OWeen View Post
    It'll be fun to see which side is right here, as both sides quite heavily "invested" in their side of the story.

    Meanwhile elsewhere people also have a look at it and come to different conclusions. This one caught my attention.
    “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” said the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ. AWS refers to Amazon Web Services, the company’s cloud-computing unit.

    [...]

    Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc (SMCI.PK), a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.

    “I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”

    Baker and the FBI declined to comment Friday.
    Source: https://in.reuters.com/article/china...-idINKCN1MF1CU

    I'm not familiar enough with "business speak" as to be able to tell what type of position "general counsel" is and if it's therefore worth noting these statements. But there's two actual names attached to it.
    General Counsel is just "the biggest lawyer we have" as well as being a first contact for general legal issues

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •