Recently in FAIL Category

The news of the day in Poland is that wykop.pl - polish site doing the same stuff as digg.com - got owned in a pretty bad way - database with user's login credentials and e-mail addresses was stolen. This post is a result of gathering info from public sites (in Polish - mostly off Dziennik Internautow which gave nice coverage) so all of it is already in public domain - otherwise I wouldn't quote any fragments or call on any information given here.

Info about breach goes public

Following what Dziennik Internautow wrote in their post, on 5 Sep 2009 a person using nickname Gimbus1xD has informed administrators of wykop.pl about the breach (no link - original post taken down) and about the fact, that some of the information stolen was already used to compromise account held with other websites, including allegro.pl (auction system like eBay). To prove his revelations, Gimbus1xD posted also screen shots of compromised Allegro account with transactions that happened two days earlier and another one with PHPMyAdmin browsing 'users' table.
 
The scary part here is that as Gimbus1xD wrote, about 40% of those passwords have been broken (despite being hashed) with simple dictionary and brute-force attacks because passwords were up to 7 characters long.

Allegedly the database is in the hands of vichan.net admins, which again allegedly shared 'unhashed' database with their moderators - including Gimbus1xD, who broke the news. So far it's not clear what made Gimbus1xD change his mind and make this information public.

That's not yet the end...

Probably everyone has seen it already... It hit reddit.com yesterday getting to the top of the front page, BBC wrote about it, it was all over Twitter, and got even it's own video clip/mockup, etc. Simply the best FAIL!

BBC did a great job in capturing it (see BBC link above for full article) - I was too slow to do a screen shot this time :-/ I have removed the image from here - don't want to upset BBC by copying their content without permission (although probably I might call it on fair use policy - anyway just see the links above and that's it).

Funny enough link on reddit.com that points to dropbox.com is no longer valid (404 win!) and Microsoft has replaced the image to be as the original one (oops - forgot to resize orange bar below the text - that happens if you have rocket a up your ****), but no worries, you have faithful users on the Internet :-D

Another day, another FAIL.This becomes my daily routine it seems, but that's another story.
This time TFL - operating London's public transport network that covers undergound, overground, DLR, buses and whatever else comes.


During one of the Security Now! podcasts (#193 was about Conficker so it was somewhere between #194 and #196) one of the main discussion topics was (to no surprise) why Windows shouldn't be used in places like ATMs, hospital equipment (MRI scanners, heart monitors, etc) and most of other control systems we have and use today.

In fact it's really hard not to agree with that. The arguments were very clear and sound:

• Most if not all of those systems are "consumer grade", not any kind of "industry type" things
  
• They are connected to the network
• They are not patched in general (it works so don't touch it)
• Most don't run any antivirus/firewall (not related to business function?)
• Many were not planned to be put on-line in any way (but we know they are)
  

The machine above takes cash or card - can we trust it then? Does it run anti-virus software and firewall (it's networked - it should)? How can I be sure it won't do what some ATMs in eastern Europe did? We can't be sure of anything if they end up like above, so feel free to add those to a 'Windows no-go list' if you wish and do top-ups on-line at the TFL website - I think it will be safer than at those machines - in general they don't reinforce any trust I might have had for them some time ago.

Few minutes ago I came across a full disclosure post saying no more no less than

Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009.

If that's true... Ouch!

Just few hours ago I was thinking "what a nice and quiet weekend evening", hmmmm... seems it was just a quiet time before the storm hits. I guess that news coming from the world may be very interesting, so let's wait and see what happens.