* Posts by Aodhhan

262 posts • joined 25 Apr 2008

Page:

Microsoft lets Beijing fondle its bits in new source code audit hub

Aodhhan
Bronze badge

The Chinese

They aren't as worried about back doors as they are other things. For instance, The Chinese, like other governments do most of their classified work on non-public connecting networks. So they aren't too worried here. However, due to their tireless efforts hacking into corporate and other government systems, they may be more concerned something is coded in Windows allowing the US government to trace malicious packets back to them, to identify them definitively when they commit such acts.

...not that US Intel agencies really need this technology }:>

0
0

Brits: Can banks do biometric security? We'd trust them before the government

Aodhhan
Bronze badge

Of course 2/3rds say this...

Most of the public is ignorant to the pitfalls of using biometrics. They see Hollywood movies depicting the US government using biometrics to access the most secure places (which of course, isn't the case), so they believe this is the way to go.

Once Hollywood comes out with a movie showing how hackers can take advantage of biometrics, then perhaps things will change. :)

0
0

It's OK for the FBI's fake hacks to hack suspects' PCs, says DoJ watchdog

Aodhhan
Bronze badge

Re: Old trick works

This is why most hackers will use links to a malicious site rather than pictures or a variety of other methods.

0
0

Remote hacker nabs Win10 logins in 'won't-fix' Safe Mode* attack

Aodhhan
Bronze badge

Re: At the AC, Security 101:

Unless the hard drive is encrypted. Then booting up Linux and mounting the system's hard drive doesn't help you grab anything.

The subject of the article allows you to get around this, since as a user with local administrative privileges, you'd have the encrypted keys.

0
0
Aodhhan
Bronze badge

Re: Remote???

Insider threats... which are approximately 18% of attacks corporate networks face.

0
0
Aodhhan
Bronze badge

Unless the hard drive is encrypted. Then booting up Linux and mounting the system's hard drive doesn't help you grab anything.

The subject of the article allows you to get around this, since as a user with local administrative privileges, you'd have the encrypted keys.

0
0

Sniffing your storage could lead to sensitive leaks, warn infosec bods

Aodhhan
Bronze badge

Re: I'm starting to get tired of these ...

This is because you haven't done a lot of research.

Gathering information via electromagnetic signals from computer systems was being done by various intelligence agencies back in the 70s, without having to have internal access to the building which housed the computer system.

Today, computer devices are everywhere. Most concerning are point of sale and point of interaction devices, ATMs, etc. They also give off EM signals, and I can stand in line next to you while you use them and pick up the signals. I don't need to be 50 feet away.

At the bank, while a teller enters your information I can be in line, and again, pick up EM signals or at the ATM. While you're tapping away at Starbucks, etc. Laptops are made to be light weight, and have nothing which interferes with EM signals. Picking up keyboard signals can provide a malicious individual with a lot of information. Like credit card numbers, passwords, etc.

Automatically discounting something without conducting research on it doesn't make a lot of sense. Just because you "believe" or "think" something cannot happen, doesn't make it true.

3
1

33 million CLEARTEXT creds for Russian IM site dumped by chap behind Last.FM mess

Aodhhan
Bronze badge

Why are we talking about passwords

The best password in the world doesn't matter if the site storing them doesn't properly take care of it.

The subject of this article is more about poor password storing, which affects a lot of users. If an individual decides to use a crap password, then it only affects them (for the most part).

Lets face it, this application isn't exactly high risk if someone manages to guess or dictionary attack a simple password. So, focus needs to be on web sites which are negligent in their responsibility to protect your information.

It doesn't take a genius to setup an encrypted database and route to and from the web service.

1
0

Meet the malware that screwed a Bangladeshi bank out of $81m

Aodhhan
Bronze badge

Re: Your teacher told you that proper spelling and grammar are important

Perhaps you mean, "...proper spelling and grammar IS important"?

Have to love grammar-police who lack skills.

0
0

Apple is making life terrible in its factories – labor rights warriors

Aodhhan
Bronze badge

There's more to China than meets the government approved pictures/videos

Yep, China has grown in huge leaps and bounds for about 20 million Chinese citizens, who live in the 4 largest cities. Unfortunately, these 4 cities don't encompass or reflect China as a whole or the other 2 billion citizens who live in very poor conditions.

Stop and look at the forest through the trees, and only the pictures you are allowed to see by the Chinese government. People there are still very controlled by the government, who also controls what and where there is wealth. You can work hard there, build a very successful corporation... yet if someone in power doesn't like you for some reason or another, you likely won't own your business very long.

1
0

Russia MP's son found guilty after stealing 2.9 million US credit cards

Aodhhan
Bronze badge

Just because his crime isn't violent doesn't mean he/she wouldn't do anything to stay out of jail. There are plenty of times when non-violent offenders have taken hostages when faced with arrest or claim to hold an explosive device. In today's environment, law enforcement around the world isn't taking chances... since they would like to make it home safely every day after work.

5
0

NewSat network breach 'most corrupted' Oz spooks had seen: report

Aodhhan
Bronze badge

Re: ISP's are the keyholders

Trevor... you're obviously not well versed in encryption; which means you couldn't hack your way out of a "hello world" statement.

2
2

French submarine builder DCNS springs leak: India investigates

Aodhhan
Bronze badge

What is deployed operationally and what is available are two entirely different things.

A ship can be in port for crew rest and or training. Or to save money.

Why have half of your fleet out and about doing nothing if there isn't a mission for them to do? This would be a huge waste of money and resources.

You guys are smarter than this. Before engaging your mouth prematurely, stop and think for 5 minutes why something is the way it is... believe it or not, you're not the smartest person on the planet. Especially when it comes to naval deployments/operations.

0
0

French, German ministers demand new encryption backdoor law

Aodhhan
Bronze badge

Let's face it...

This isn't a high priority item for most people, so they aren't supporting or not-supporting politicians based on their encryption stance. Most politicians, once they get into office are going to want controls on e2e encryption.

Toss out statements all you want; it isn't going to change things in the near future.

0
0

Update your iPhones, iPads right now – govt spy tools exploit vulns

Aodhhan
Bronze badge

The SKY IS FALLING

Don't you just love those who over do worrying in an above and beyond means to display drama?

Lets say the NSA is using this, do you really think they are looking at YOU? Or... perhaps using it against terrorists and not so friendly nation states?

Let's face it, you're not really THAT important.

0
2

Californian gets 50 months in prison for Chinese 'technology spy' work

Aodhhan
Bronze badge

Re: Heaven Preserve Us From Overzealous Agents

Yes yes, what in-sight. We all know how they work. Like there is no difference between the engine in your car and the engine in a formula 1 series car. Right? This is what you're saying.

Just as formula 1 teams closely guard the engineering secrets to creating more horsepower and torque with lighter materials to last at high RPM; there are large differences between a typical commercial jet engine, and that of a jet fighter.

..and thinking any jet mechanic understands how everything works is silly. They don't engineer or tweak the parts, they inspect, repair, replace and test. Most military jet engine schools last less than 10 weeks; this includes basic and specific engine courses.

Anything outside their basic skills is typically handled by contracted engineers for the respective company who created the engine.

0
0

Tech support scammers mess with hacker's mother, so he retaliated with ransomware

Aodhhan
Bronze badge

Don't get too happy

The fact the scammer immediately hung up is because he became wise on what was happening. Likely due to malware/virus protection on his end. This means the attack was halted.

If the attack was successful, the scammer wouldn't have noticed and gone on with business as usual.

Also, these guys aren't completely stupid. The system likely didn't allow any changes in most files/directories or registry, so a quick reboot and the system is back to normal.

1
5

White hat pops Windows User Account Control with log viewer data

Aodhhan
Bronze badge

Can you all quit spewing out the obvious?

We get it... to those who don't work in the seemingly unexcited world of computer science, this seems like a pretty idiotic thing... bypassing UAC while already having the keys to the kingdom.

To computer engineers and scientists, this represents a very large hole in the processes of the operating system, and also displays being able to do a few things out of the ordinary while bypassing UAC. In simpler terms, while digging in the sand a buried chest was found. Now someone needs to be able to work a little harder to get it out and see what is inside.

0
0

DIY bank account raiding trojan kit touted in dark web dive bars

Aodhhan
Bronze badge

You mean, why isn't the US Gov't getting into the hackware business in the same manner as when they took over the original TOR network?

...what makes you think they don't have a dog in this fight?

There is a lot of malicious tools available on the darknet. This one offers a lot of things all rolled into one, and is getting media attention.

0
0

McAfee outs malware dev firm with scores of Download.com installs

Aodhhan
Bronze badge

A great training site

download.com and others are fantastic sites for training reverse engineering. You can always find applications which have been screwed with and hand them out as assignments.

Companies who allow their freeware applications to be downloaded from these sites are just asking for trouble. They'd serve the public better by hosting it on their own site, require registration/validation and ensure an MD5 hash is provided.

2
0

Boffins' blur-busting face recognition can ID you with one bad photo

Aodhhan
Bronze badge

Privacy concerns

Use of these systems are for protection and safety; which trumps privacy in nearly every instance when you're out in public or on commercial property.

Don't get shocked when you find out there is a database of facial recognition data which is shared among those who use these applications. Las Vegas casinos have been doing this for years now.

In most cities, mug shots of criminals are posted and these pictures are available to download and put into facial recognition systems. So, if you commit a crime in Nowhereville, Idaho you could set off bells and whistles when entering a store in another part of the country.

You can bet your life, facial recognition will start to be used when you go in for a job interview. So, you think it's bad now... you have no idea.

1
0

Linux malware? That'll never happen. Ok, just this once then

Aodhhan
Bronze badge

How good of an admin are you?

Instead of staying on topic, almost everyone jumps into the ridiculous argument of UNIX vs Windows.

Really guys? If you're distracted by such idiocy, just how good can you be at administrating an operating system? I would hope you'd be more professional and not let some post agitate you.

You'd serve yourself better by taking these articles and using them as "lessons learned" to ensure your systems are secure. Just because you believe your systems are securely configured doesn't make it so.

2
0

Big Red alert: Oracle's MICROS payment terminal biz hacked

Aodhhan
Bronze badge

Another Oracle failure

Oracle has been in charge of this company long enough to be held responsible for this.

It's just another in a line of failures for Oracle. A company who states they prize security, yet continue to have problems which shouldn't happen.

When failures happen with this frequency and magnitude you cannot blame coding or personnel; you must point the finger directly to management and policy.

We stopped using Oracle products nearly two years ago. It makes me shake my head whenever I see an organization using Oracle applications of any kind.

When I notice an organization using any Oracle product, it makes me wonder just how competent the CIO and information security management team is.

1
0

How many zero-day vulns is Uncle Sam sitting on? Not as many as you think, apparently

Aodhhan
Bronze badge

What crap and an epic math fail.

Given the different operating systems involved on many different systems throughout the world, I would guess there is A LOT MORE than 50 zero days available to the US Government. However, we'll never know as these fall into special access programs; and those who work on Apple do not know what those who work on Microsoft have. Those who work on CISCO applications will not know what those who work on firewalls will have. Etc. etc.

It's always interesting when someone makes a claim about being with some agencies program, yet fails to really put 2 and 2 together.

So Professor Healey... I'd say give your students a pass, but give yourself a big fail... because you didn't adequately provide a good background for them to use. It also seems your background in JTF-GNO (as it was properly referred to when founded) is questionable.

If you were part of the organization then... just what exactly did you do? Because it seems you're way off base. You don't even have the wisdom to realize just how many different applications and OS's are researched.

0
0
Aodhhan
Bronze badge

Re: Except that the NSA is supposed to be in charge of America's cyberdefense too

You're wrong, but nice job of BSing... not really. You'd think with 3 minutes of research, any idiot can figure this out... apparently not!

NSA is not in charge of the nation's cyber defense. This is the job of USSTRATCOM, who delegates much of the responsibility to USCYBERCOM.

0
0

Broken BitBank Bitfinex shaves 36% from all accounts

Aodhhan
Bronze badge

Come on, this is almost comedic

The Hillary Clinton business model.

Have poor information security and blame it on the hackers. Then tax the heck out of everyone to pay for her salary and the 'problem'.

It works, because there are a lot of suckers and idiots.

1
0

Brit network O2 hands out free Windows virus with USB pens

Aodhhan
Bronze badge

You can call BS, but you're forgetting...

USB isn't the only attack vector for this. If you have Windows 95 system running (help us), and go to an infected web site, you've now contracted it.

Forest thru the trees.

6
2

US Politicians tell DEF CON it'll take Congress ages to sort out how to regulate crypto

Aodhhan
Bronze badge

Doughnut eaters and lazy community.

There are good arguments against encryption laws of any kind. However, bashing law enforcement officers/agents isn't the way to make a point. It's a lazy and childish means of crying. It sure doesn't make people take you seriously.

You'd like to think most people who comment here don't interject emotion, but rather are smart enough

to look at this logically and objectively. Unfortunately, this isn't the case... apparently.

If you believe those who investigate crimes (and these aren't your street cops, duh), are merely always pinning their hopes on electronic means of evidence, then you're the lazy one. Too lazy to actually realize what needs to be done in order to bring a case to a prosecutor.

...and if you think you can do a better job, that the law enforcement community is so battered, broken and riddled with corruption... join up, show everyone how it's done.

0
1

TechCrunch defaced by self-professed 'white hat' hackers

Aodhhan
Bronze badge

Oh c'mon

If you host anything on WordPress you have to be willing to have your site hacked. I've said it before, WordPress is a training site for web service hacking.

If you're going to use it, only use WordPress for information... and then monitor it closely in case someone does gain access. Don't use any of the plugins, or anything which holds or allows access to backend components. In fact, if you're going to use it... don't put it on your network; instead, use a web hosting site.

Oracle database, Flash, Java, WordPress... four things you should keep on top of if you have any cybersecurity responsibilities.

Lift your nose in the air and turn away from vendor which doesn't provide web services using HTML5.

1
1

PHP flaws allowed God mode access to top smut site

Aodhhan
Bronze badge

Rumor is

...they would have found these exploits faster, but everyone kept taking long bathroom breaks.

However, I do agree with the article. I'm a bit shocked about PHP without JSON.

Time to begin coding like it's 2016, not 2006.

0
0

WordPress admin? Thinking of spending time with the family? Think again

Aodhhan
Bronze badge

I think everyone in cybersecurity knows...

WordPress is a training ground for hacking. Especially the modules. Small files which don't take a seasoned expert to reverse engineer, fuzz, etc.

2
0

Hacker shows Reg how one leaked home address can lead to ruin

Aodhhan
Bronze badge

Re: “These sites are everywhere”

Not making information available, especially where the government is concerned will make corruption much worse than it already is. In the USA, the people have the right to know everything their government is doing, it's part of the constitution and expanded by FOIA. This is one of the reasons Hillary is in such hot water, well, except for the fact she's above the law.

As far as private companies using this information. Will make it much harder to get insurance, a credit card, bank loan, etc. If you outlaw it, then the rates for using private companies needing information will go way up because their risk increases.

You don't have to play the game, but you won't exactly get far.

2
0
Aodhhan
Bronze badge

It's not just Facebook

There are so many different databases online which hold your information it's crazy. It makes doing a background check on someone so easy. What information which is available depends on the country and province/state on where you live.

Ever been charged (not just convicted) with misdemeanor; even a speeding ticket?

Been involved in an auto accident?

Been married?

Bought a house/land?

Have a credit rating?

...the list goes on and on.

In this example, he's just using Facebook as a starting point. There are many others.

4
0
Aodhhan
Bronze badge

Re: People don't listen

Yet you have an account on this website and likely others. Meaning you're IP address is recordable each time you log in, and all your posts and any information in them likely tells a story or two when laid out and studied.

You think this website or it's host is trustworthy?

Ohhh.. you only think you need to worry about facebook? There isn't much difference.

5
10

Flaws found in security products from AVG, Symantec and McAfee

Aodhhan
Bronze badge

Re: Flaws found in Windows API

You can not be serious.

Externally facing OSs has nothing to do with this vulnerability. Apparently, someone has an agenda, is blindly ignorant, or both! You think you can just see a Microsoft OS box, yell, "Weeee... I can take advantage of this vulnerability"?

There are many ways AV applications use to review code. Hooks during dynamic testing of the code is just one method. It's a little more complicated than just looking for a bunch of NOPs in memory.

I have no favorite OS. However, as a penetration tester I will say this... I have more success against externally facing *nix systems than I do externally facing Microsoft systems.

4
0
Aodhhan
Bronze badge

Re: AT WHICH POINT...

...will you get off your *nix high horse and realize this isn't an OS problem. Apparently, you're so stuck on *nix, you don't understand exactly what is going on here.

I'm not partial to one OS over the other, but realistically, I'd put the Windows OS up against *nix for memory hooking/corruption monitoring any day. So will any other penetration tester. So fuzz up your favorite *nix application, and if you look hard enough you'll like find somewhere you can stick a NOP sled and have it point to your favorite malicious code. The only thing keeping someone from taking advantage of it, is the very endpoint software you are so epically calling, "bloated".

...or stick to your barebones *nix OS and run your favorite application which does just a few things or was compiled in 1988.

3
1

For $800 you can buy internet engineers' answer to US government spying

Aodhhan
Bronze badge

Or...

Necessary if you move a lot of data. If not, the cheaper alternative is to use host-host with certs kept on a USB key. Realistically, if they really want the equations to move faster, they will need more processing and memory put on the device.

FIPS140-2 protocols and ciphers will likely be the norm on these devices. One thing to remember about FIPS 140-2 encryption, is that they only show what is usable by the US Government for top secret and below. For information above top secret, encryption is governed by a different set of publications.

Meaning, state sponsored intel agencies can likely crack the encryption within several months.

When it comes down to it, the easiest way to get past encryption is to get on the box itself. You can put millions of dollars into encryption, but if you click the wrong thing on the Internet... it doesn't matter.

So as an individual, if you really can't wait to shell out the money for this device... you likely haven't done a proper risk assessment, or you have more pride than brains.

1
0

Governments Googling Google about you more than ever says Google

Aodhhan
Bronze badge

not really...

If there are 100,000 people in a city, how many of them do you think are likely to be criminals? I'm betting it's a lot higher than the 1:10000 ratio.

0
0

Hardball hacker thrown in the cooler for 46 months for guessing rival team's password

Aodhhan
Bronze badge

I agree it's a bit harsh. People who have stolen databases with credit card numbers, other fraudulent acts, or your last name is Clinton receive less or no time.

2
1

World-Check terror suspect DB hits the web at just US$6750

Aodhhan
Bronze badge

Value

Bitcoins aren't valued on anything. Nobody uses them as an investment, since they aren't backed by anything and there is no guarantee.

The value goes up and down based on demand and to ensure the company itself profits; i.e., a commission.

If some wealthy companies find the need to use bitcoin a lot, the value goes up due to demand. If the number of companies/individuals using Bitcoin services goes down, the value goes down. It's this simple.

Companies don't invest in bitcoins because it's too risky and volatile, and they don't buy a few bitcoins in case they are hit by ransomeware. Why would they? It would be wiser to put money into an investment which is a lot less risky and more likely to provide a profit. Then purchase bitcoins as needed.

0
0

Maxthon web browser blabs about your PC all the way back to Beijing

Aodhhan
Bronze badge

There are no safe browsers.

Inherit to the protocols used by browsers, you can't keep everything secret. Even if you refuse something coming into your browser, it tells a tale.

Using the Internet is a lot like going outside in that you cannot expect total privacy.

..and get a grip when it comes to the NSA. If you live in a NATO country, your own government does more spying on your country than the NSA does. In many of them, they don't even require a warrant to do so.

3
1

McCain: Come to my encryption hearing. Tim Cook: No, I'm good. McCain: I hate you, I hate you, I hate you

Aodhhan
Bronze badge

Seriously?

I don't agree with the senator when it comes to allowing back doors for encryption, but don't trash someone who was a POW. Especially when news comes from crappy internet web sites with no credibility, no proof, and isn't picked up by a national/world media organization. To do so only makes you a hard headed partisan whose brain is so closed you're no longer able to think for yourself or think critically.

In all reality, Cook missed an opportunity to be the opposition voice for this... because of his apparent hatred of anyone who wants to mess with encryption. Because of this, it really p$$@#! me off he didn't show. Cook has more than enough experience and knowledge to have answered any questions thrown at him, and given a chance to provide light on a the subject. Congress isn't a bunch of computer nerds, so without testimony from opposition (which is done all the time).

McCain is equally boneheaded because he is focusing too much on Apple, instead of working a few other angles; which in my view would do him more good... but I must admit I'm glad he isn't!

It's also apparent people don't understand the 5th amendment and when it can be used. When asking questions to put together facts, and the questions aren't geared towards pressing charges or criminal acts... the 5th can't be used. This should be obvious. Nobody is saying Cook has broken the law, he's just standing up for what he believes to be an infringement on his rights.

1
0

World's worst exploit kit weaponises white hats' proof of concept code

Aodhhan
Bronze badge

Security is not a myth.

In the most general terms, security is: the act of protecting something valuable. You can add many different types of "security" to a door, room or a network; therefore it isn't a myth. It exists.

Absolute security however, cannot be accomplished. There will always be a weakness if you want access to the valuable. This doesn't make it a myth.

Anyone in cybersecurity knows this and before deciding on what security measures to employ first complete a risk assessment. There is no need to spend $40,000 to protect $1,000 of valuables.

To protect something, cybersecurity employs defense in-depth which are security measures placed to protect something and add protection on top of other protections. Again, security. Some protection methods are better than others, some are more expensive to employ than others.

To make the point, security by obscurity is another security measure used. Therefore, it isn't a myth. Code is obscured all the time to make it more difficult to RE. This doesn't mean it will protect the code forever... it's just another measure employed to make it more difficult to bypass the security measure.

What creates the illusion you speak of is the fact hackers only have to get it right once against millions of systems connected to the Internet. For the most part, hackers are a lot like water in that they follow the path of least resistance.

I think you can figure the rest from here.

4
0

Euro IP study finds 25 Tor-and-Bitcoin-loving pirate business models

Aodhhan
Bronze badge

Well...

This is 3 minutes I'll never get back.

0
0

Silently clicking on porn ads you can't even see – this could be you...

Aodhhan
Bronze badge

You wouldn't be guilty if you're a Clinton.

1
0

Hackers steal millions from ATMs using 'just their smartphones'

Aodhhan
Bronze badge

You're all smarter than this

If banks didn't take IT security seriously, considering the number of ATM machines there are, there would be 10-20 thefts a day. Since in most countries, the bank takes the bite for any ATM hijacking, they do take it seriously.

Some banks may not take it as seriously as others, but in most larger countries, banks have gone all out to protect ATMs.

You should also know, there isn't anything which is hacker proof. NOTHING. Especially any system with external customer facing interaction, and a huge box holding a computer which goes through quite a few hands from when it leaves the factory until it gets placed into operations. So, plenty of time for someone to gain access and introduce something. A lot of companies may not take supply chain security seriously, or can be bought. You all can figure it out from there.

1
0

OpenSSH has user enumeration bug

Aodhhan
Bronze badge

Hopefully...

Not a huge issue in my book. If you're exposing port 22 or any other comm port externally... you have bigger issues to worry about, and by now... most host based firewalls should only accept comms from other internal systems; hopefully, along with a log management system which sends out some sort of notification after 10 consecutive login fails. Yes, I know this can be irritating when decommissioning servers.

1
0

Chinese hacker jailed for shipping aerospace secrets home

Aodhhan
Bronze badge

Light Sentence

It does seem a bit light, but the information was classified "For Official Use Only", no secret or above information was stolen. I wonder though, before the arrest, how much misinformation they planted into the system which was then transferred to China?

1
0

ANZ Bank staffers drop slick incident response tool for Mandiant mobs

Aodhhan
Bronze badge
Thumb Up

Nice Article

Mr. Pauli... I normally bust your chops, this one is nicely done.

1
0

Critical remote code execution holes reported in Drupal modules

Aodhhan
Bronze badge
Joke

Re: "The Coder module [..] does not need to be enabled in order to be exploitable"

You must be joking. In the past year, Wordpress had vulnerabilities which were around for more than 90 days. This isn't impressive... especially when PoC's are available within days of the notification.

Wordpress is also popular for hacking due to the number of tools built specifically to interrogate the application for vulnerabilities.

What also makes it dangerous is the number of add-ons available and who builds them; which increases the number of attack vectors to go for.

The modules are much easier to reverse engineer than the main application itself. It's also the addons which typically have the long patch times. These are also much easier to create attack modules for... which allow just about anyone to successfully attack.

Dangerous claim to make if you're not well versed in these matters.

1
0

Page:

Forums