Time and again I read stories about products that come pre-pwned with malicious software. Recently a few people were ruminating about pulling together a list of these battery chargers, digital frames and the like.
Low and behold one already exists. Something tells me I should have assumed that it would be found here at attrition.org.
From Attrition.org:
For reasons unknown, vendors occasionally fail to maintain quality control over the media they ship. Whether it is CD-ROM, DVD, USB or some other form of media, it may contain viruses, trojans or even drug-runner music. When this happens, the software you receive obviously can’t be trusted in any fashion, and installing software from already compromised media immediately puts your system’s integrity in question.
For more on this be sure to check out their page.
(Image used under CC from msmail)
Sometimes you find yet another reason why people should be made to pass an intelligence test before they’re permitted to engage in social media.
Just saying.
(Thanks to attrition.org for pointing that one out)
There are few things that annoy me than when a vendor bends the truth to try and sell product. Here is part of an email that I received yesterday.
Dear Dave,
As you are most likely aware, last week David Litchfield from NGS has blessed the world with another cyber attack announcement on Oracle databases that allows an attacker to take complete control of an Oracle database system. No fix is available by Oracle.
Litchfield has been infamous for doing something similar with the slammer worm that affected millions of companies a few years back. This irresponsible move has even more companies worried today about a potentially greater new security risk.
$VENDOR sent out an announcement last night. If you did not receive it please let us know and we will get you the information.
$VENDOR is the only company globally capable of fixing this issue. The details are in the announcement:
Ah, the joy of getting half the story.
What David did at Black Hat in the summer of 2002 (and I was in the room for it) was show a proof of concept for what eventually became slammer more than 6 months later. The inference in the email was that he had released the worm. Not sure if that was intended but, that was my take away.
This is not the way to win customers. Tell me why your product stands on its own two feet. If you want to sell your product don’t play the Coke vs Pepsi nonsense. And for all that’s good and holy…don’t tell me that only $VENDOR can fix it.
Don’t piss on my leg and tell me it’s raining.
Rant off.
(Image used under CC from John Markos O’Neill’s Flickr feed)
You know, I have always been bothered by the Amercian Express website password limitations but, I admittedly never ran this one to ground. Well, someone ran with it. The password has always been limited to an 8 character maximum and no special characters.
I never imagined something quite this daft.
From Twice Refried News:
Thank you for your email regarding your online password.
I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.
The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.
Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.
*facepalm*
For the full email response, read on.
(Imaged used under CC from fireflythegreat Flickr feed)
Watch the guy in the background that lines up with the talking head’s right ear. I wonder if that guy got sacked. Note to the readership, surfing porn at work, while it may seem like fun at the time, is an epic bad idea. Just saying.
Surreal. Here’s a story that pushes the edges of…well, common sense. The real problem is what could potentially happen if the bank wins in this case.
From Krebs On Security:
A machine equipment company in Texas is tussling with its bank after organized crooks swiped more than $800,000 in a 48-hour cyber heist late last year. While many companies similarly victimized over the past year have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim.
Read on for the full article.
On a side note be sure to subscribe to Brian’s RSS feed. He’s a must read writer in the security space.
(Image used under CC from peggyarcher’s Flickr feed)
Ah, the epic fail abounds today. Now, having formerly worked for the DoD as a contractor I can say there are good contractors and others that should be given a cigarette and a blindfold.
I wonder where I’m leaning on this story.
From the WSJ:
Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations.
Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.
Now, first off this isn’t hacking. Transmission was/is in the clear. It’s just piss poor design and I’m rather amazed that this one made it into the field without someone catching it. Or maybe they did and were told to hush up in favour of meeting deadlines?
If you send data, or anything else for that matter in clear text, you have zero expectation of privacy. Zilch, zip, nada and bubkiss.
Just to put this firmly in perspective for our non-technical readers this is as secure as…
Or this…
For more on this story please follow the link to the WSJ article.
Article Link (Thx Brooks)
UPDATE: More information on this story from Wired. Apparently, this clear text problem affects more than just drone aircraft.
Wow. Dumb like rock.
I can rant until the cows come home about how people need to be more cognizant about what they put up on social networking sites. The original dumbass was the “Facebook Fairy“. Then there is the continual parade of Nigerian scam suckers. There are so many examples that could fill multiple tomes.
I doubt that people will ever collectively clue into the fact that there is zero privacy on social networking sites. You can never expect to maintain privacy on site that you don’t control.
Sigh. I’m done venting.
How much do I detest patent trolls? Let me count the ways.
From TG Daily:
A case started in a Delaware court which accuses Cisco, IBM, Check Point Software, 3Com, Nokia, Fortinet and Sourcefire of infringing a network security patent.
Enhanced Security Research alleges that the firms breached a patent it has, US 6,119,236 called Intelligent Network Security Device and Method, and another patent, 6,304,975B1. The patent was granted to inventor Peter Shipley on September 12, 2000. Shipley has assigned the patent to Enhanced Security Research.
The patent in question can be found here US 6,119,236.
(Image used under CC from zzathras777’s Flickr feed)
A link made the rounds recently for a publicly available site wherein a person could sign up for a free version of Microsoft TechNet. As was my suspicion, it was too good to be true.
Fine, I’ll live.
That page is now offline of course…
The part that pisses me off is this email from “[REDACTED] Inc.”
Dear Dave,
Microsoft contracted with us, [REDACTED], Inc, to conduct the TechNet Plus Pilot Study program research and manage the activities of the pilot study. Our records show that you have recently signed up for a free TechNet Plus subscription through a registration link that was made available without authorization on a public blog.
The registration link is part of a proprietary study and the party that shared the information was in violation of the terms and conditions to which they agreed to participate in the study. Membership to the Pilot study is limited and all members of the program are required to first meet survey requirements and then complete tasks and assignments over a two month period in order to qualify for and have access to the free TechNet Plus subscription. Since this was a privately conducted pilot study, at no time was it ever intended that a free TechNet Plus registration link would appear on a public internet site, which was done in violation of the terms to which participants agreed upon registering to participate in the pilot study.
We are very sorry for the inconvenience, but for this reason, we have deactivated your subscription, as well as all other subscriptions resulting from the unauthorized publication of the TechNet Plus Pilot Study program registration link on a public blog. Again, we apologize for any inconvenience.
Kind regards,
The [REDACTED] Team
If you are interested in a TechNet Plus subscription, please follow the link to purchase: http://technet.microsoft.com/en-us/subscriptions/renew.aspx
This e-mail and all files transmitted within are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please do not reproduce, print or forward any material received unless granted express permission by the sender. Thank you, [REDACTED], Inc.
The research and communications administered by [REDACTED], Inc is conducted according to the highest standards of the Market Research Society’s code of conduct. Your information will not be shared with any third party for any reason.
Microsoft is committed to protecting your privacy and has commissioned [REDACTED] and its partners (click here to read [REDACTED]’s privacy statement) to oversee the Survey and collect survey responses and communicate with interested respondents and individuals. Should you wish to no longer receive e-mails from [REDACTED], please send an e-mail to [REDACTED] with the word “remove” in the subject line.
Please notify us if you are receiving this message in error at [REDACTED] and delete all contents of this email.
Review Microsoft’s Privacy Statement here.
address removed
Blow me.
If you make something publicly available with no description attached you get what you deserve. There was no authorization required to access the sign up page. No controls were bypassed. “Private”? Someone should have their head examined. And no, I’m not bound by your email footer.
So, due to [REDACTED]’s fuck up, all the people who signed up for the “free” TechNet are out in the cold.
Hey Microsoft. You might want to consider getting a refund.
