Feeds

* Posts by Carter Cole

37 posts • joined 14 Aug 2009

Fog of cyberwar: internet always favors the offense

Carter Cole
Grenade

There is defense

just because defense is hard doesn't mean there isnt any defense... if you have a public API someone is scraping it doesnt matter if its against TOS is up to you to be smarter than them... google created on time access tokens so you can pass a secret to lookup one call and one call only

yes its easier to break then build duh... you have to find 1 hole and we are trying to find and plug all the small leaks in the dam that may lead to the catastrophic failure and total breech

tell me im wrong... im @cartercole and id love to argue with you :)

0
0

Confusion over 'secret code' in US military Cyberforce crest

Carter Cole
Joke

can someone lend me a Beowulf cluster?

quick someone make up some text that makes them sound really dumb for using a insecure hashing algorithm then calculate the collision to match their mission statement hash... lolz

0
0

YouTube vuln pwns Justin Bieber fans

Carter Cole
FAIL

too busy blowing stuff up

im sad i missed this xss attack... google seems like they fixed it quick.

0
0

Drupal clarifies security rules after White-House gaper

Carter Cole
FAIL

i so called this would friggen happen

not that it wasnt totally predictable but i called this

0
0

Captain Cyborg sidekick implants virus-infected chip

Carter Cole
Terminator

all i see is a universal key for spys

like why not write virus code to open any rfid door or cell like that guy said... i mean ton of code and exploits but for reals military put some people on that (id bet you a penny there already are) and make a way cool electronic lockpick

0
2

Zombie tactics threaten to poison honeypots

Carter Cole
Alert

10k reasons why

you can make 10k virtual machines for free but even with old 386 your going to pay more for power and each machine to the point where it becomes ineffective to try and scale

0
0
Carter Cole
Terminator

another feature to add to the code in my head

to have a giant botnet would be awesome but i must confess ive been writing code in my head for one (and how to make it beat all the other) thanks for the heads up on another feature i need to add in :)

1
0

iPhone App Store bars mention of Google Android

Carter Cole
FAIL

woohoo competition

man what a great company...

0
0

Potty mouth hackers pwn TechCrunch (again)

Carter Cole
FAIL

im guessing some sql injection

sounds to me like they found a few sql injection holes and they are modifying the template after they fix each hole... iono its just speculation

0
0

Full-body scanner blind to bomb parts

Carter Cole
Flame

thats thermite

it produces molten iron that could burn through an engine block

aluminium and iron oxide (rust)

http://en.wikipedia.org/wiki/Thermite

0
0

Feds investigate theft of $3m from NY school

Carter Cole
FAIL

it was a phish email...

they got an email from a rich foreign investor who wanted to give some funds to the kids but needed the collateral to make the transfer

0
0

Lawyers claim Palin hack suspect's PC had spyware

Carter Cole
FAIL

i thought he confessed when they picked him up...

new hacker defense... leave malware on your computer and claim that they stole your identy and made your evil blog posts as you and that you actually know nothing about computers... when the judge asks you about your ip then you can just claim "ip in the toilet"

0
0

Hacker scalps NASA-run websites

Carter Cole
FAIL

sql injection ftw

i just peeked at screen shots it looks like it was compromised with sql injection...

0
0

MS honeypot research sheds light on brute-force hacks

Carter Cole
Thumb Up

use pass phrase

instead of using passwords that are one word you should use pass phrases like "ilovetoeat" upper and lower i think help the most but just to get length they usually haven't computed hash for passwords that long and brute-force would take forever

0
0

Extra spam and malware security for bit.ly

Carter Cole
FAIL

dont they use a custom ua to request those urls?

ok so i made a page that returns the ua of the request in the title and shortened it with bit.ly

i got the title back as "bitlybot" (bitly bot is the ua that bit.ly uses) then i made it so it would "cloak" the page when bit.ly was requesting it <a href="http://bit.ly/cloakua">http://bit.ly/cloakua</a> now you get different page if bit.ly requests it rather than a regular user. this is even better if you know all bit.ly ip then you can do ip based cloaking which is even better

i know this is a simple attack but i think it demonstrates my point

1
0

Web service automates WordPress password cracking

Carter Cole
Boffin

man i love php

i think this will be a growing trend compromised web hosts will be used in bot-net style attacks using php as more and more c&c and "bulletproof hosting" options are taken down or disconnected on the internet

1
0

Facebook swipes user's vanity URL

Carter Cole
FAIL

thats a bunch of bs

i have vanity urls and hope this never happens to me... i bet the company complained and they killed the name...

1
0

Climate change hackers leave breadcrumb trail

Carter Cole
Grenade

my server doesnt save all the request headers

yea i dont think that header was saved and like the others said if all they used was a proxy shame on them they could sit outside a house and use that wifi

1
0

Major IE8 flaw makes 'safe' sites unsafe

Carter Cole
Terminator

so does someone have details of the bug?

id really like to know more

1
0

iPhone worm hacker gets death threats, job offers

Carter Cole
Go

but most of all sammy is my hero...

the same was true of one of my favorite xxs attacks the myspace hero worm

seen here with technical description http://namb.la/popular/

myspace got pissed and brought up charges so even tho hes not a for pay hacker malware guy he still may have some legal trouble in his future

0
0

Win 7 remote kernel crasher code released

Carter Cole
Grenade

ok how bout this one

so you use Anti-Pinning DNS attack to bypass firewall after you have identified a target with an office of windows 7 then use flash to send the broken packet to the broadcast then the loop-back and shut down the entire office...

social engineering is used to tweet to an employee during the day to allow for the DNS attack

would that work? would broadcast kill all the venerable computers? can flash send a "broken" packet?

1
0

Attackers conceal exploit sites with Twitter API

Carter Cole

remember when they figured out the domain algorithm for confricker

good idea because it would be really hard to predict what the next days twitter trend will be so you cant preregister or block those domains to keep them from contacting command and control like they did for some of the other C&C domain generators that are predictable so you can get in front of the hackers

0
0

Facebook scoffs at hacktivist stunt

Carter Cole

losers

ooooh they changed the names of some groups...

0
0

Malware cleans out jailbroken iPhones

Carter Cole
Black Helicopters

conspiracy by apple or at&t?

if its just jailbroken phones perhaps its apple doing it or at&t they dont want you to have that functionality and everyone is jailbreaking the way to stop it is to spread fear of a worm that will f your phone

0
0

Security firm chokes sprawling spam botnet

Carter Cole
Pirate

not good programing

like they said if its not implemented properly anything can fall. as far as the first comment on it being illegal to modify computers i think they modified the C&C servers not the bot PCs (like BBC did) so it would be hard pressed to find the owner of the computer

0
0

Bot herders hide master control channel in Google cloud

Carter Cole
Pirate

this will happen more and more

i think that this is only beginning when i have thought about writing a bot the services that many provide are ideal for use with a botnet. what if they start adding stenography to the images they upload to Facebook and the profile looks real and everything looks natural but its all a bots page to keep its settings saved and relay commands

0
0

Twitter fanatic glimpses dark side of OAuth

Carter Cole
FAIL

do you not get oauth?

i know its new to alot of people but i was thinking this the other day what if they get your google oauth then the can do all kinda nasty but you just revoke the tokens and if you have already been hacked then you already prolly sent some spam for them so a couple more messages because you forgot to revoke tokens isnt that bad. could they make it more clear how to clear the tokens and such yes but its not that bad

0
0

Bloggers howl after conference snoops on 'secure' network

Carter Cole
FAIL

lolz

oh noes the hackers didnt knock on our door and tell us that the "secure" wap was really controlled by them bla bla bla well now ur on a wall the only networks you can trust are your own the isp can watch everythign go by do deep packet inspection and all kinds of other bs and you would never know

0
0

Trojan plunders $480k from online bank account

Carter Cole
Gates Halo

everyone already saying it but i gotta chime in too

windows is not the issue its dumb ass users yes trojans are nasty and they can even do tricky stuff like rewriting the banking webpage so you don't even see your funds are gone but if you use even a little common sense you wont get infected. when i get a virus (usually because i was slumming it on the nastier parts fo the internet looking for viruses) i wipe my computer. i don't log into online banking anywhere i make sure that i trust that the machine is not compromised and if i even start to suspect it i wont go to online banking. i mean its like saying use macs because they dont get viruses well now they are and while some other options may be less likely to get infected but if you are just safe in the first place you will never have an issue

0
0

'Hack Idol' to find top UK cyberwarriors

Carter Cole
Black Helicopters

i would so be part of the american version

so when yall dudes at the network are looking for american contestants for the tv show id love to be part of it

0
0

Twitter bans security maven for sharing naughty link

Carter Cole
Black Helicopters

how bout a warning for bad urls

how bout before it sends you to destination ti warns you that this link is for security researchers and that it has malicious code behind it and if you click your ok

0
0

Game censorship crusader sues Facebook for $120m

Carter Cole
Grenade

god i love gamers...

lolz commentz...

0
0

Botnet buries commands in image files

Carter Cole
Black Helicopters

i agree not stego

i want to write a bot that uses true steggo like knows where to find the original image (from some google page or a image hosting site) and then keeps its data stored like in the sample pictures of the computer or something i think that would be a cool bot.

0
0

Automated attacks push malware on Facebook

Carter Cole
WTF?

if thats true recaptcha is broken

if they are making new profiles with any kind of speed or volume it isnt humans filling in captcha and recaptcha has been broken

0
0

Google shuts down bank snafu Gmail account

Carter Cole
FAIL

why the hell?

why the hell were they emailing a document like that to a gmail account anyways? shouldnt they use a secure ftp server or something to do that?

0
0

Australia mulls botnet takedown scheme

Carter Cole
Grenade

slippery slope

i think this an start to be a net neutrality issue at what point do we consider a machine infected and what if the person is sending mass mailing and one doesn't like the email they get. do you knock the entire server off because of one bad review if everyone else likes the emails? what about competitors abusing the system could i disconnect your business with enough reports that you ip is bad

0
0

Hacktivist vuln still plagues UN.org

Carter Cole
Pirate

SQL Injection is easy to fix

this is just dumb i cant believe they leave such stupid venerabilities open i hope this article pushes them to fix the issue for their sake and their users

0
0