Sophos' Naked Security article "Boutique babycare website hack - not just the Big Guys at risk" link http://nakedsecurity.sophos.com/2013/01/21/boutique-babycare-website-hack/
Article is mainly about @JokerCracker or https://twitter.com/JokerCracker hacking of a Babycare website.
[Personal comment: I really think hacking a Child or Baby care site publicly is about as bad as being a pedophile, and have to wonder about the motivation for doing so. I plan to cover ethics & morality eventually on this blog, as it relates to Security & Hacking issues.]
Of course the passwords were not encrypted.
They suggest not using services that you suspect don't follow best practices, which is nice sounding advice, but not real practical for many in real world situations.
Generally speaking, there is no real way to know, without doing Pen Testing, if a site has good, bad, or fair security.
Unless it is REALLY bad, like not using HTTPS for logins & such, which I have personally experienced.
Before I started this blog, I was putting a lot of effort into Book reviewing, since I am a writer and a book worm.
While exploring ways to get frequent ARC (Advance Reader Copies, which are copies of book that are printed before they are published, like getting hands on new hardware or software before it is released to the public, legitimate way to do reviews before book is published), found a specific company that I was real interested in working with, that didn't use HTTPS on their site.
Even though they required SSN & other PII for application to the the ARC program, the PII stuff was more or less needed, but they were clearly not handling data properly.
I sent email to them about the issue, and from their response it was clear they were so clueless about Best Practices, that there was no point in trying to educate them, till they get hacked.
There is a saying, something like "Fools never learn, most people learn the hard way, and wise people learn from others mistakes."
Showing posts with label Sophos Naked Security Blog. Show all posts
Showing posts with label Sophos Naked Security Blog. Show all posts
Monday, January 21, 2013
Sunday, January 20, 2013
Security & Hacking: Java exploit Number ∞
http://nakedsecurity.sophos.com/2013/01/20/java-hacker-boasts-of-finding-two-more-unpatched-holes/
http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/
Seems like you can find new/more Java exploits a lot faster than they can be patched, so if your concerned about security, stop using Java on Browsers!
Course, if you want to make sure Blackhat Hackers don't starve, keep using it, </sarcasm>
http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/
Seems like you can find new/more Java exploits a lot faster than they can be patched, so if your concerned about security, stop using Java on Browsers!
Course, if you want to make sure Blackhat Hackers don't starve, keep using it, </sarcasm>
Monday, December 10, 2012
Security & Hacking: The not so secret Secret Service
http://nakedsecurity.sophos.com/2012/12/10/secret-service-sensitive-files-metro-train/
Not only was this PII, it was PII for the US Secret Service.
So, if I am understanding this correctly, you could find the addresses and etc of people on protection details for the President and other VIP's!
Probably with a bit of work you could figure out which people were likely to be on protective details from this type of information as well.
Really think they should have been using stronger encryption, and using a secure courier or something far more secure than a new low level employee riding public transport alone.
Not only was this PII, it was PII for the US Secret Service.
So, if I am understanding this correctly, you could find the addresses and etc of people on protection details for the President and other VIP's!
Probably with a bit of work you could figure out which people were likely to be on protective details from this type of information as well.
Really think they should have been using stronger encryption, and using a secure courier or something far more secure than a new low level employee riding public transport alone.
Monday, December 3, 2012
Security & Hacking: "Tumblr worm hitting websites, posting identical message from GNAA"
http://nakedsecurity.sophos.com/2012/12/03/tumblr-worm/
see also http://nakedsecurity.sophos.com/2012/12/03/how-tumblr-worm-worked/
From the second link:
"It appears that the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages."
see also http://nakedsecurity.sophos.com/2012/12/03/how-tumblr-worm-worked/
From the second link:
"It appears that the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages."
Friday, November 23, 2012
Security & Hacking: "Hacked Go Daddy sites infecting users with ransomware"
http://nakedsecurity.sophos.com/2012/11/23/hacked-go-daddy-ransomware/
Yet another reason not to use Go Daddy IMO.
No response yet from Go Daddy about the problem, not clear to me how widespread this problem is at the moment.
Will post more if I find out anything useful.
Yet another reason not to use Go Daddy IMO.
No response yet from Go Daddy about the problem, not clear to me how widespread this problem is at the moment.
Will post more if I find out anything useful.
Thursday, November 8, 2012
Security & Hacking: Sophos Vulnerabilities & Tavis Ornmandy
This summary is not available. Please
click here to view the post.
Monday, October 22, 2012
Security & Hacking: Exploiting Badges in Public
http://nakedsecurity.sophos.com/2012/10/22/how-flashing-can-reveal-your-identity/
Just think what a prepared person could do with a good DSLR!
Or a moderate price telescope with digital camera hook up on building entrance, or more cunningly on a nearby food place to actual target.
This type of thing reminds me of the old days and dumpster diving.
Just think what a prepared person could do with a good DSLR!
Or a moderate price telescope with digital camera hook up on building entrance, or more cunningly on a nearby food place to actual target.
This type of thing reminds me of the old days and dumpster diving.
Saturday, October 20, 2012
Security & Hacking: "National Weather Service website hacked"
http://nakedsecurity.sophos.com/2012/10/19/national-weather-service-website-hacked-by-kosovo-hackers-security/
"A post on pastebin.com by a group identifying itself as "Kosova Hacker's Security" took credit for the hack and posted lists of files allegedly copied from the servers as proof."
So, just another example that you can get malware even from "safe" sites, which is one of the most common excuses I get from friends/family that I am trying to get to follow basic computer and net security procedures.
"A post on pastebin.com by a group identifying itself as "Kosova Hacker's Security" took credit for the hack and posted lists of files allegedly copied from the servers as proof."
So, just another example that you can get malware even from "safe" sites, which is one of the most common excuses I get from friends/family that I am trying to get to follow basic computer and net security procedures.
Tuesday, October 16, 2012
Security & Hacking: "Hackers hit small US town, steal tax payer data and $400,000"
http://nakedsecurity.sophos.com/2012/10/15/burlington-hacker/
Online banking isn't safe, though everyone is gradually being forced in that direction, since mailing statements cost time and money.
If you are going to do online banking or other finicail transactions, like stocks or other investments, then use a Live CD or as a distant 2nd choice, use a iOS device on a private password protected WiFi connection.
For iOS devices were security is concerned you want to use an iPad 2 or newer, iPhone 4S or newer, or 2012 iPod Touch or newer device, because there are hardware related limitations to the security of earlier iOS devices (some security features were add in the hardware, and also some of the more recent software security features require the more powerful CPU & etc of the newer devices).
Here is a Guide to using Live CD by someone who knows what he is talking about, Brian Krebs, http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html
Link above is older one from when Krebs was still writing for the Washington Post, here is more recent one from the Washington Post (2010) http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
And one from this year, on Live CD from his blog Krebs On Security http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/
I have also suggested to a few people, that having two separate Bank or Credit Unions, and having some of their money split between them, would be helpful if you do get hacked.
Since you might only lose money from one institution, so you would have some money available to pay Rent/Mortgage, buy food, keep paying for Medical & other types of important insurance, and buying medicine.
You might get some money back if this happens to you, but there is no guarantee of that.
Sadly for the city workers hit by this, ones that were getting their paychecks direct deposited, even having two separate accounts might not have helped them at all.
Online banking isn't safe, though everyone is gradually being forced in that direction, since mailing statements cost time and money.
If you are going to do online banking or other finicail transactions, like stocks or other investments, then use a Live CD or as a distant 2nd choice, use a iOS device on a private password protected WiFi connection.
For iOS devices were security is concerned you want to use an iPad 2 or newer, iPhone 4S or newer, or 2012 iPod Touch or newer device, because there are hardware related limitations to the security of earlier iOS devices (some security features were add in the hardware, and also some of the more recent software security features require the more powerful CPU & etc of the newer devices).
Here is a Guide to using Live CD by someone who knows what he is talking about, Brian Krebs, http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html
Link above is older one from when Krebs was still writing for the Washington Post, here is more recent one from the Washington Post (2010) http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
And one from this year, on Live CD from his blog Krebs On Security http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/
I have also suggested to a few people, that having two separate Bank or Credit Unions, and having some of their money split between them, would be helpful if you do get hacked.
Since you might only lose money from one institution, so you would have some money available to pay Rent/Mortgage, buy food, keep paying for Medical & other types of important insurance, and buying medicine.
You might get some money back if this happens to you, but there is no guarantee of that.
Sadly for the city workers hit by this, ones that were getting their paychecks direct deposited, even having two separate accounts might not have helped them at all.
Tuesday, October 9, 2012
Adobe patch, make sure you get it.
Both Brian Krebs http://krebsonsecurity.com/2012/10/critical-adobe-flash-player-update-nixes-25-flaws/ and Sophos http://nakedsecurity.sophos.com/2012/10/09/adobe-security-update/ cover this latest patch/update.
Tuesday, August 14, 2012
Security & Hacking: Hardware Hackers
"Family of potential network hackers thwarted by Australian telco engineers"
I tell you it is genetic.
Stay Safe!
I tell you it is genetic.
Stay Safe!
Monday, August 13, 2012
Friday, July 27, 2012
PSA: Twitter Blackhole Malware Alert
See Sophos Naked Security Blog post for details.
Current versions are using tweet about is it you in photo, with link, but link installs malware.
Current versions are using tweet about is it you in photo, with link, but link installs malware.
Friday, February 24, 2012
PSA: Facebook, Your Data, the Government, & More
Forbes, just released an online story about Facebook's Chief Security Officer, I recommend everyone that uses social media to read the story, it reveals a lot of information about how Facebook handles Data Privacy and related topics like cyber crime.
[If this leaves you looking for more you can read Computerworld's "Facebook settles FTC privacy complaints" and PC World's "Facebook Commits to Changes Following Critical Irish Audit" details of the Irish audit: Report of Data Protection Audit of Facebook Ireland. But this Blog post is about the Forbes article.]
You will probably find some things that surprise you, like how many people working at Facebook just deal with law enforcement requests for information.
Or the Security Bug Bounty, where you can make money as an Ethical or White Hat Hacker.
One thing I learned that maybe I heard, but if so it didn't stay in my memory, was that Facebook partnered with Sophos to take down some Russian cyber criminals.
I follow the Sophos Naked Security Blog, one of the best IT Security blogs out there.
I usually run into a few people every month in the Starcraft 2 community, that are surprised that I am not on Facebook at all, usually they are not aware of these issues.
When I read the Forbes article, I felt that they provided a very good overview of Data Privacy as it pertains to Facebook.
Thought there was a slight, but clear bias for Facebook in the Forbes article (ie they are painted as "good guys" and no mention is made of the Irish Audit, I think Forbes has done a much better job of explaining the Data Privacy risks of Facebook, than I have ever done.
So I encourage everyone to read it, and please note: I am NOT saying you should not use Facebook, I am saying that you should do so with a clear idea of what that means for anything and everything you put on Facebook.
Forewarned is Forearmed
You may also find Nerd News: Post SOPA, EU vs USA Internet Freedom & Rights worth reading.
[If this leaves you looking for more you can read Computerworld's "Facebook settles FTC privacy complaints" and PC World's "Facebook Commits to Changes Following Critical Irish Audit" details of the Irish audit: Report of Data Protection Audit of Facebook Ireland. But this Blog post is about the Forbes article.]
You will probably find some things that surprise you, like how many people working at Facebook just deal with law enforcement requests for information.
Or the Security Bug Bounty, where you can make money as an Ethical or White Hat Hacker.
One thing I learned that maybe I heard, but if so it didn't stay in my memory, was that Facebook partnered with Sophos to take down some Russian cyber criminals.
I follow the Sophos Naked Security Blog, one of the best IT Security blogs out there.
I usually run into a few people every month in the Starcraft 2 community, that are surprised that I am not on Facebook at all, usually they are not aware of these issues.
When I read the Forbes article, I felt that they provided a very good overview of Data Privacy as it pertains to Facebook.
Thought there was a slight, but clear bias for Facebook in the Forbes article (ie they are painted as "good guys" and no mention is made of the Irish Audit, I think Forbes has done a much better job of explaining the Data Privacy risks of Facebook, than I have ever done.
So I encourage everyone to read it, and please note: I am NOT saying you should not use Facebook, I am saying that you should do so with a clear idea of what that means for anything and everything you put on Facebook.
Forewarned is Forearmed
You may also find Nerd News: Post SOPA, EU vs USA Internet Freedom & Rights worth reading.
Subscribe to:
Comments (Atom)