Discussion in 'tech' started by Lain, 11 Jun 2011.
I don't wanna think about it!
this is actually false. i beleive they sha2 hashed all credit card and password data.
in this case, however, i imagine people would have preferred the credit card details and passwords to be leaked compared to what actually WAS unencrypted & leaked
the real damage is the emails, billing addresses and names, and perversions of each of the cheaters.
wanna see how faithful someone you know is? run thier email address through one of the new "tools" out there making use of the database
protip: only check if you are sure you want to know
They didn't 'crack' and SHA2, the key was improperly stored. That is also regulated. If you store the key in an insecure place, might as well not bother encrypting.
Ashley Madison Hackers Speak Out: 'Nobody Was Watching'
This is a company that services over 30 million users. If the above statement is true, the entire Information Technology department should be up on charges for fraud, and every one of them is open to a class action lawsuit that will no doubt obliterate their lives beyond recognition.
And fuck every last one of them. How absolutely disgraceful. I am ashamed to be lumped into the same category as these fucking monkeys.
Security Experts my ass. Experts in sitting on theirs and ignoring BASIC NETWORK SECURITY PROTOCOLS that an ENTRY LEVEL CIS technician should know like the alphabet.
FUCK OFF. Seriously.
The best metaphor I can use to describe this scenario is for you to imagine a bank, wrapping up at the end of the day leaving cash in the drawers and the vault door open, walking out with the front door unlocked and the security system disarmed, hoping no one would walk by and try the door (because most people assume it's locked and are afraid of the jail time they might incur by robbing a bank).
The hackers, however, didn't care about the consequences, tried the door, found the bank open and went in. They then took everything that wasn't nailed down. Money, computers, security systems, etc, etc, etc and walked out the front door, leaving a note on the way that reads "thanks for the shit, bitches!".
The only reason anyone even knows about these guys is because they contacted their target to inform them they had stolen everything they owned, and are now going to share it with anyone who gives enough of a shit to get a piece.
I have entry level certification and know better than that. That exact password is a very common example in the process of obtaining the cert of a piss poor password that needs to be changed immediately and something NOT TO USE.
And being able to even VPN remotely to root for EVERY server?? I would never, ever allow it. If you need root access, get your fucking ass in the office and log into the internal network, because that is the ONLY place it should be allowed from when dealing with such sensitive stuff, and ONLY from specific terminals. If you NEED emergency remote access... ummm.. RADIUS? Anyone? Segmentation of privileges? Different logins for every server? Authentication services? Authorization, and fucking ACCOUNTING so you know when someone is trying to break in or DOES break in, or even to know if a tech is logging in at midnight to jerk off to the customer emails he is peeking at?? NONE of these were used? HELLO?? This is security and networking 101 stuff. Been around as long as the public internet, and works quite well to help prevent EXACTLY THIS. It is basic security and would have kept most hackers out. Due to the sheer SIZE and SENSITIVITY of this company, they would have needed even tighter measures than those basics they missed!
Dipshits. I haven't even worked in security and am fully able to comprehend how incredibly derpy all this was.
You know who has some very impressive Security protocols and standards? The Nevada Gaming Control Board.
Having worked for several Casinos in the state of Nevada, I can tell you that if more people adopted their standards, there would be less of this kind of shit occurring.
Back in the day and all of that, when the entire universe wasn't connected at the speed of light to the other half, password failure was more of a nuisance than a disaster (most of the time). Now, it's imperative that proper password protocols become everyone's mainstream way of thinking.
Just as you lock your house and your car and set the auto alarm, you should put as much effort into securing and choosing a secure password. Rotating it every 30-60 days and not reusing any passwords for multiple accounts, or reusing a previous password you have used before (even if it is for a different account).
Allowing production level equipment to be deployed into a live environment with public access in it's default condition is unacceptable for even the most basic of security types.
EVEN BASIC IT TYPES should know this stuff, whether or not they have a security background. It's not security stuff, it's common sense. Just like resetting your devices before handing them off to some asshat who's going to dump the contents and pick through your life.
For the sake of argument, it's safe to assume that anything showing up in a modern dictionary is NOT an acceptable password. I prefer phrases, intermingled with symbols to represent letters (wannabe poser hacker types call this 'leet' or 'elite' script, really it's just a poser thing hat makes for good passwords).
etc, etc, etc.
Yes, I've posted alot of this before, yes it's redundant, but this AM thing has me weeping for the future of our privacy and security.
And for the love of the World Wide Wastebin stop posting so much personal information on the Interwebz.
I'm super cereal.
The gaming board is no joke. They shut your ass DOWN, take your license away, and bury you in fees and penalties. Recovering from a misstep with them is a nightmare. People do NOT fuck around there, and follow every single rule and dot every single i. Casinos go down overnight if they fuck up, and they never come back. It happens rarely because it is a VERY bad thing to fuck with, and security is way too tight and regulated for missteps to be an accident or break-ins to be common or simple. The standards are so tight, even large casinos need to add very little on top of what they already are required to do by law.
Do you know what area of casinos has one of the highest turnovers? Cage cashiers. No fucking joke. Those clowns deal with millions of dollars in cash, and think no one will notice if a few dollars go missing. They catch them EVERY SINGLE TIME. And nail EVERY SINGLE ACCOMPLICE too. If they watch their pennies that tightly, imagine how tightly they watch the computer systems that run the machines that generate the money! Frankly, casinos have always made me nervous. Big brother knows my every move, where every dollar that leaves my purse ends up, and certainly every single thing I do on the machines, down to how long I take to make up my mind on a hand. It's creepy as shit. There is a reason Ocean's 11 is fiction, and you don't hear about break-ins at Nevada Casinos. Banks have lower hanging fruit than they do, and are thus broken into far more often. They also aren't as tightly regulated, frighteningly enough. Even the mob, who are notorious for how good they are at bending and breaking rules, don't fuck with the gaming side (but are still fully within their right to take you out back and kick your ass. They just can't rig the machines or launder money through the gaming part. God bless America!)
But credit card info? Personal info? Meh, I'll just put it on a server connected to the public internet and use an easy password so I am not inconvenienced when I need to get to them. It's not like anyone will come looking for the info other than me, right?
Social engineering actually sounds like fun. If I find myself in security, and am doing audits... I am so going to be using that more than any other tools. It makes me cringe a little, because it is mean to single people out and get them in trouble... but it is the ultimate learning experience, and is better me than a REAL intruder and the fallout that would follow. People can have their facebook and twitter and whatever... they just really need to use their security settings, be aware of the risks, and to SEPARATE work and home lives!
The stories I could tell about the piss poor security at my last job... let me just say, I could have done some seriously crippling damage to my jobsite, and left a dent in corporate if I was malicious or disgruntled. Luckily, they tend to only hire cute and clueless girls and give them the keys to the kingdom. And the IT department is aware of what is going on too. But, one day...
Oh, and I can't wait for wally world to be brought down too. A malicious insider, an associate, could do it. They give away administrator access and leave computers with admin access lying around the store to access their inventory systems. They also have PCs connected to corporate that associates are sent to use for training, unsupervised, and can put whatever credentials they want since the same password schema was used for everyone. Pretty obvious that revolving door management would also use the same schema. And the PCs were not locked down. I was able to exit out of the training GUI to a full admin access desktop running Windows XP, and nothing would have prevented me from just plugging in a little USB stick with a little code on it before heading back to work. Ho-hum. That one will be fun to see
The fallout is always entertaining to watch. It's the aftermath that's a real bitch.
kid hacks his parents cell phones to change the word no to... other things
your router (maybe)
but the good news is, this malware appears to actually attempt to make your router more secure
Yes, an interesting little piece of code. Not a bad idea, actually, hacking people's routers to make the rest of us more secure.
If people would change the default credentials on their gear this would be a non-issue more often than not.
I saw an SSID today called 'Hidden Access Point'. It was obviously not hidden. It is the effort that counts, I think... -_-
Hidden access points are a waste of time anyway. You would be surprised, or possibly not, how many people are remiss in reading past the "Quick Start" poster on any given piece of technology.
As such, I can safely say, that even in a corporate environment, which has rigid security policies and practices in place (rolleyes), there's always a device, somewhere, on some subnet, in some office, that has a default credentials issue. And if you're stupid enough to have it on a vunerable subnet, then I hope you brought your lunch because the boss will be reading you the riot act after my report has been given over.
One of my favorite stunts is when someone, usually someone with less than official clearance, goes to Staples and buys a router because they NEED to use the wireless on their laptop when corporate has specifically provided only a hardwire solution.
Attention shithead, there is a reason for that. The main reason is that any auditor worth their salt will perform wireless sweeps of any location before attempting any sort of complicated hardline access. (And 7 out of 10 times that's all you'll need).
It's always a sweet bonus when the IT guy has enabled control of the router from the WAN (outside the network from the interwebz) because he's too fucking lazy to drive down there when he gets a text to fix a password/username/other mundane issue that will take more time to drive down there than to actually resolve. (But that's your job dickface, that's why you are being paid 20+ dollars an hour, or were before I audited your shit ).
Rabble, rabble, rabble, rabble, I'm just having a bad day. My cynicism is showing pretty hard.
Jury finds journalist guilty of aiding Anonymous in media hacking case
I wish I made $929,977 for a 40 minute web hack cleanup. What fucking train did I miss to get that gig?
I love the part about how the hacked company had to spend money protecting it's servers. Why didn't you spend that money in the first place and stop the risk of an assault?
When people with access to sensitive information leave the fold, or you suspect they are leaking confidential information, you remove their access and revoke any system rights their login(s) had, then issue a mandatory change of credentials.
Get yourself together folks, you're your own worst enemy.
How unpatched servers hurt us all
I use ad blocks up the wazoo, and always stick one on any browser I install, whether for myself or clients or friends.
But, I admit content can be inserted other ways from webpages. It still is easily over 90% effective to use a third party blockers. The leftover concerns are targeted attacks, which third party may assist in blocking as well since they get automatic updates from a third party instead of relying on updates from a single internal (and potentially incompetent/ compromised) source.
Through my studies, I realized this is the biggest flaw in enterprise security; using a single point of failure for ease of administration and cost concerns. There also seems to be something about a need to 'buy in' to a custom solution instead of using tried and true consumer solutions deployed on all systems. I think there is wisdom in using the company firewall etc, but also using third party browsers ad-ons to block ads and/ or scripts. Reduces load on company firewall for starters, but also ads another layer to avoid having a single point of failure.
Security+ jogged me through all the threats out there, and all the ones you mentioned, Lain, but not how to solve them. I just know the kind of concerns and threat types that are out there, but still lack the knowledge to implement any kind of solution. I know enough to get myself in trouble, talk the talk, and worry I might get myself in over my head in tech because of it. Just because I know about it doesn't mean I know what the eff I am doing.
Just my perspective, of course. I haven't seen any seriously big baddies yet, just all the normal pedestrian crap.