It had to happen eventually. Controversial hardware manufacturer Foxconn was reportedly hacked late on Wednesday and a heap of staff email log-ins and intranet credentials posted online which could allow third parties to lodge fraudulent orders. In a lengthy message posted to Pastebin, hacking group Swagg Security claimed the …
I think it's outrageous, the way these workers are treated like slaves just to make shiny stuff for decadent Westerners.
Sent from my iPhone
"is the hilarity that ensues when compromising and destroying an infrastructure. How unethical right?" -- Quite. A bit like a Prison Guard watching a fresh script kiddie getting his first gang raping in prison.
I'm not aware of any free or purchased scripts which can compromise a firewall-based system such as Foxcon's without major penetration testing and refinement (usually noticeable) or being run internally.
I know it makes shit-tier sysadmins (such as many Reg ACs) feel cool to think they're somehow skilled beyond the people who make them look like idiots so perhaps this unwarranted name-calling is related?
I love how you say firewall-based as if that, instantaneously makes the site more secure. It doesn't, they still need to open ports to the outside world and you can distribute the penetration test across a bot net to avoid detection.
There are several worms and general attack tools that try multiple attack vectors such as common php/iis/asp programming errors and password guessing on any open port (ssh, ftp, smtp-sasl,pop3) that takes a password. My server logs are stuffed full with the resulting warnings even though each host can only try 4 times before being blocked.
Agreed completely, and that's kind of the point. Any competent admin will do their best to lack that shit down as far as is possible given the company's requirements.
In suggesting that those who cracked Foxcon simply bought or downloaded a script, our AC above is actually mocking their network, not the crackers. And the thing is, if Foxcon were THAT easy to crack, somebody (likely some environmental group or ethical labour campaigners) would have done it long ago.
A firewall is like any other wall. If it stays up for a long period of time without any unauthorized individuals getting through, you've done it well. If you've done it well, getting past it is not trivial (from the outside).
However, according to their Twitter feed the hackers gained access to Foxconn’s systems via an “outdated vulnerability” in a version of Internet Explorer which was being used internally by the company.
So they are using IE6 and Active X in the management suite then?
Unfortunately the Active X bit is likely to be true, as historically, this was the preferred login mechanism for East Asian banks.
IE6 is widely used in China as many people run dodgy copies of XP and Microsoft lock them out of later versions with WGA.
...we all know how secure Microsoft's products are!
Honestly. Somebody's running a 10 year old system and that's Microsoft's fault now.
Some people should not be allowed keyboards, ever.
Shame on paste bin...
I'm surprised that paste bin would accept logs of usernames and passwords when the only motivation for the attack was just for kicks. No political motive, no ethical motive, no moral motive. They hacked them "cos we can".
That's not what paste bin is for, is it?
Well except for porn sites logins, but still there may be a moral objective in that. Just depends on your moral values.
I take it you have no idea what pastbin is. Pastbin is for quickly passing around large amounts of text for cases such as support requests and if they took the time to accept or deny things then it would be useless for the task it was designed for.
Given their history you can bet they will take down the logs as soon as they find out about them but complaining they didn't block them in the first place is just unreasonable.
.they'll do the "ethical thing" and manipulate the HR/Payroll system therefore enabling Foxconn's "slave labour force" to earn a decent wage..
Paris: Because there's no such thing as too much disposable income
Or better yet, fire them all!
Free the slaves!
Wild speculation? We have it!
"So my best guess at this stage would be that the attackers managed to upload something malicious on the [services.foxconn.com] server and somehow used that to gain access."
They could also have used Psy powers.
I Still Marvel
That one application can so frequently and kindly serve as entry point to entire corporations.
Where do I want to go today? A dark satanic mill, please.
Doesn't look like anything very interesting
Get a load of this then
Lots of emails?
Including ones where Apple acknowledge they know all about conditions at FC and cynically discuss how best to look like they're doing something while keeping costs down and production up?
Someone somewhere must be feeling a bit nervous, I'm sure.
Iron ring of firewalls good; security in depth not so good.
if yer a bean counter.
Beer - to remind me of lunchtime.
Wow...that is giving some pretty big leeway. Hacktivists promote righting a wrong, fighting the good fight, not "the hilarity that ensues when..."
Is it still to late to sign the Petition? Also is it available online.
Could someone enlighten me, please?