The news of the day in Poland is that wykop.pl - polish site doing the same stuff as digg.com - got owned in a pretty bad way - database with user's login credentials and e-mail addresses was stolen. This post is a result of gathering info from public sites (in Polish - mostly off Dziennik Internautow which gave nice coverage) so all of it is already in public domain - otherwise I wouldn't quote any fragments or call on any information given here.
Info about breach goes public
Following what Dziennik Internautow wrote in their post, on 5 Sep 2009 a person using nickname Gimbus1xD has informed administrators of wykop.pl about the breach (no link - original post taken down) and about the fact, that some of the information stolen was already used to compromise account held with other websites, including allegro.pl (auction system like eBay). To prove his revelations, Gimbus1xD posted also screen shots of compromised Allegro account with transactions that happened two days earlier and another one with PHPMyAdmin browsing 'users' table.
The scary part here is that as Gimbus1xD wrote, about 40% of those passwords have been broken (despite being hashed) with simple dictionary and brute-force attacks because passwords were up to 7 characters long.
Allegedly the database is in the hands of vichan.net admins, which again allegedly shared 'unhashed' database with their moderators - including Gimbus1xD, who broke the news. So far it's not clear what made Gimbus1xD change his mind and make this information public.
That's not yet the end...
Sunday, 6 September 2009
Thursday, 27 August 2009
How mobile a mobile broadband may be?
Quite recently I had a chance to travel by train from London towards Manchester and back. The journey was not bad in fact - first class on Virgin Trains does the trick... even more when you have free wi-fi included and power sockets for almost all seats.
So does it work at all? Well - quite frankly yes, it does. Even at the cruise speed it's quite stable, but don't expect broadband speeds! I was wondering how it's done, because the hot-spot is provided by
T-Mobile, so most likely something like 3G broadband type deal, shared among all passengers. Let's see where we are...
So does it work at all? Well - quite frankly yes, it does. Even at the cruise speed it's quite stable, but don't expect broadband speeds! I was wondering how it's done, because the hot-spot is provided by
T-Mobile, so most likely something like 3G broadband type deal, shared among all passengers. Let's see where we are...
Wednesday, 26 August 2009
Microsoft's EPIC FAIL
Probably everyone has seen it already... It hit reddit.com yesterday getting to the top of the front page, BBC wrote about it, it was all over Twitter, and got even it's own video clip/mockup, etc. Simply the best FAIL!
BBC did a great job in capturing it (see BBC link above for full article) - I was too slow to do a screen shot this time :-/ I have removed the image from here - don't want to upset BBC by copying their content without permission (although probably I might call it on fair use policy - anyway just see the links above and that's it).
Funny enough link on reddit.com that points to dropbox.com is no longer valid (404 win!) and Microsoft has replaced the image to be as the original one (oops - forgot to resize orange bar below the text - that happens if you have rocket a up your ****), but no worries, you have faithful users on the Internet :-D
BBC did a great job in capturing it (see BBC link above for full article) - I was too slow to do a screen shot this time :-/ I have removed the image from here - don't want to upset BBC by copying their content without permission (although probably I might call it on fair use policy - anyway just see the links above and that's it).
Funny enough link on reddit.com that points to dropbox.com is no longer valid (404 win!) and Microsoft has replaced the image to be as the original one (oops - forgot to resize orange bar below the text - that happens if you have rocket a up your ****), but no worries, you have faithful users on the Internet :-D
Sunday, 7 June 2009
Are TFL top-up machines secure?
Another day, another FAIL.This becomes my daily routine it seems, but that's another story.
This time TFL - operating London's public transport network that covers undergound, overground, DLR, buses and whatever else comes.
During one of the Security Now! podcasts (#193 was about Conficker so it was somewhere between #194 and #196) one of the main discussion topics was (to no surprise) why Windows shouldn't be used in places like ATMs, hospital equipment (MRI scanners, heart monitors, etc) and most of other control
systems we have and use today.
In fact it's really hard not to agree with that. The arguments were very clear and sound:
This time TFL - operating London's public transport network that covers undergound, overground, DLR, buses and whatever else comes.
During one of the Security Now! podcasts (#193 was about Conficker so it was somewhere between #194 and #196) one of the main discussion topics was (to no surprise) why Windows shouldn't be used in places like ATMs, hospital equipment (MRI scanners, heart monitors, etc) and most of other control
systems we have and use today.
In fact it's really hard not to agree with that. The arguments were very clear and sound:
- Most if not all of those systems are "consumer grade", not any kind of "industry type" things
- They are connected to the network
- They are not patched in general (it works so don't touch it)
- Most don't run any antivirus/firewall (not related to business function?)
- Many were not planned to be put on-line in any way (but we know they are)
T-Mobile (U.S.) got owned?
Few minutes ago I came across a full disclosure post saying no more no less than
Just few hours ago I was thinking "what a nice and quiet weekend evening", hmmmm... seems it was just a quiet time before the storm hits. I guess that news coming from the world may be very interesting, so let's wait and see what happens.
Like Checkpoint Tmobile has been owned for some time. We haveIf that's true... Ouch!
everything, their databases, confidental documents, scripts and
programs from their servers,financial documents up to 2009.
Just few hours ago I was thinking "what a nice and quiet weekend evening", hmmmm... seems it was just a quiet time before the storm hits. I guess that news coming from the world may be very interesting, so let's wait and see what happens.
Saturday, 6 June 2009
EC-Council courses certified by NSA
Chris Riley brought up a good post on his blog...something I totally missed in the news :-o
Following (literally) the press release from EC-Council we read "EC-Council Courseware certified to have met the CNSS Standards by the
United States National Security Agency (NSA) and the Committee on
National Security Systems (CNSS)". Shocked? I am!
What does it change or prove?
From my point of view it says that EC-Council knows how to do marketing, which obviously they do a lot. My impression when meeting EC-Council people at different expos and conferences were like, uhmmm... security? WTF? Business is business, most important part is to keep it going. Create a business model (hey - I don't blame you for that, good you succeeded!), build brand, loyal user base, make some media stir and here you go. It's simple - if I see someone talking about security with $$$ signs in his eyes, that's a sign for me to back off and go elsewhere. That's my personal impression regarding EC-Council as an organization - full stop.
My thoughts on standards and compliance
Chris has raised in his post some really good points about material quality. I would add, that conforming to standards and requirements (be it well known old friend ISO 9001 or any other ISO-based, PCI-DSS, etc - you name it) is just a matter of proper wording in the marketing materials and in some internal paperwork. I used to work in this area for some time (ie. standards, certification, implementation, paperwork - I've been on both sides of the process, from the bottom to quite high in the chain) and I can tell you that there are two ways to achieve so called "compliance" with any "standard" I came across so far - make damn sure you do what you say you do and do it very well and that conforms to requirements... or make sure auditors don't bother reading :-) and "OK" what they got. First impression method, social engineering, etc - great place to apply those!
Paper will accept anything you want, but this doesn't change in a bit what people know, what they do, how they work, use their knowledge (how much are they worth), etc.
Nothing has changed... exactly nothing!
Following (literally) the press release from EC-Council we read "EC-Council Courseware certified to have met the CNSS Standards by the
United States National Security Agency (NSA) and the Committee on
National Security Systems (CNSS)". Shocked? I am!
What does it change or prove?
From my point of view it says that EC-Council knows how to do marketing, which obviously they do a lot. My impression when meeting EC-Council people at different expos and conferences were like, uhmmm... security? WTF? Business is business, most important part is to keep it going. Create a business model (hey - I don't blame you for that, good you succeeded!), build brand, loyal user base, make some media stir and here you go. It's simple - if I see someone talking about security with $$$ signs in his eyes, that's a sign for me to back off and go elsewhere. That's my personal impression regarding EC-Council as an organization - full stop.
My thoughts on standards and compliance
Chris has raised in his post some really good points about material quality. I would add, that conforming to standards and requirements (be it well known old friend ISO 9001 or any other ISO-based, PCI-DSS, etc - you name it) is just a matter of proper wording in the marketing materials and in some internal paperwork. I used to work in this area for some time (ie. standards, certification, implementation, paperwork - I've been on both sides of the process, from the bottom to quite high in the chain) and I can tell you that there are two ways to achieve so called "compliance" with any "standard" I came across so far - make damn sure you do what you say you do and do it very well and that conforms to requirements... or make sure auditors don't bother reading :-) and "OK" what they got. First impression method, social engineering, etc - great place to apply those!
Paper will accept anything you want, but this doesn't change in a bit what people know, what they do, how they work, use their knowledge (how much are they worth), etc.
Nothing has changed... exactly nothing!
Thursday, 30 April 2009
The good, the bad and the ugly - Infosecurity Europe
Quick summary of Infosecurity Europe 2009, based on a bit more than a day I've spent there...
THE GOOD
There is always some good stuff at the conferences like Infosecurity. This one is no exception!
THE GOOD
There is always some good stuff at the conferences like Infosecurity. This one is no exception!
- Infoguard had a fibre taps (photo by Chris)
- EDR was more than happy to show us how their data destruction really works
... and after that you are left with a disk... almost like new :-) Thanks for the demo!
- ACUMIN had a full-scale proper, hardware simulator of Robinson R22 helicopter - great stuff, I got through 2 gates and won a RC helicopter :-)
- Information Security Awareness Forum together with SANS offer a free course that ends up with a GIAC STAR (Skills Test and Report) - this is very time limited offer!
Subscribe to:
Posts (Atom)