37 posts • joined Friday 14th August 2009 19:10 GMT
There is defense
just because defense is hard doesn't mean there isnt any defense... if you have a public API someone is scraping it doesnt matter if its against TOS is up to you to be smarter than them... google created on time access tokens so you can pass a secret to lookup one call and one call only
yes its easier to break then build duh... you have to find 1 hole and we are trying to find and plug all the small leaks in the dam that may lead to the catastrophic failure and total breech
tell me im wrong... im @cartercole and id love to argue with you :)
can someone lend me a Beowulf cluster?
quick someone make up some text that makes them sound really dumb for using a insecure hashing algorithm then calculate the collision to match their mission statement hash... lolz
i so called this would friggen happen
not that it wasnt totally predictable but i called this
all i see is a universal key for spys
like why not write virus code to open any rfid door or cell like that guy said... i mean ton of code and exploits but for reals military put some people on that (id bet you a penny there already are) and make a way cool electronic lockpick
another feature to add to the code in my head
to have a giant botnet would be awesome but i must confess ive been writing code in my head for one (and how to make it beat all the other) thanks for the heads up on another feature i need to add in :)
i thought he confessed when they picked him up...
new hacker defense... leave malware on your computer and claim that they stole your identy and made your evil blog posts as you and that you actually know nothing about computers... when the judge asks you about your ip then you can just claim "ip in the toilet"
use pass phrase
instead of using passwords that are one word you should use pass phrases like "ilovetoeat" upper and lower i think help the most but just to get length they usually haven't computed hash for passwords that long and brute-force would take forever
dont they use a custom ua to request those urls?
ok so i made a page that returns the ua of the request in the title and shortened it with bit.ly
i got the title back as "bitlybot" (bitly bot is the ua that bit.ly uses) then i made it so it would "cloak" the page when bit.ly was requesting it <a href="http://bit.ly/cloakua">http://bit.ly/cloakua</a> now you get different page if bit.ly requests it rather than a regular user. this is even better if you know all bit.ly ip then you can do ip based cloaking which is even better
i know this is a simple attack but i think it demonstrates my point
man i love php
i think this will be a growing trend compromised web hosts will be used in bot-net style attacks using php as more and more c&c and "bulletproof hosting" options are taken down or disconnected on the internet
my server doesnt save all the request headers
yea i dont think that header was saved and like the others said if all they used was a proxy shame on them they could sit outside a house and use that wifi
but most of all sammy is my hero...
the same was true of one of my favorite xxs attacks the myspace hero worm
seen here with technical description http://namb.la/popular/
myspace got pissed and brought up charges so even tho hes not a for pay hacker malware guy he still may have some legal trouble in his future
ok how bout this one
so you use Anti-Pinning DNS attack to bypass firewall after you have identified a target with an office of windows 7 then use flash to send the broken packet to the broadcast then the loop-back and shut down the entire office...
social engineering is used to tweet to an employee during the day to allow for the DNS attack
would that work? would broadcast kill all the venerable computers? can flash send a "broken" packet?
remember when they figured out the domain algorithm for confricker
good idea because it would be really hard to predict what the next days twitter trend will be so you cant preregister or block those domains to keep them from contacting command and control like they did for some of the other C&C domain generators that are predictable so you can get in front of the hackers
conspiracy by apple or at&t?
if its just jailbroken phones perhaps its apple doing it or at&t they dont want you to have that functionality and everyone is jailbreaking the way to stop it is to spread fear of a worm that will f your phone
not good programing
like they said if its not implemented properly anything can fall. as far as the first comment on it being illegal to modify computers i think they modified the C&C servers not the bot PCs (like BBC did) so it would be hard pressed to find the owner of the computer
this will happen more and more
i think that this is only beginning when i have thought about writing a bot the services that many provide are ideal for use with a botnet. what if they start adding stenography to the images they upload to Facebook and the profile looks real and everything looks natural but its all a bots page to keep its settings saved and relay commands
do you not get oauth?
i know its new to alot of people but i was thinking this the other day what if they get your google oauth then the can do all kinda nasty but you just revoke the tokens and if you have already been hacked then you already prolly sent some spam for them so a couple more messages because you forgot to revoke tokens isnt that bad. could they make it more clear how to clear the tokens and such yes but its not that bad
oh noes the hackers didnt knock on our door and tell us that the "secure" wap was really controlled by them bla bla bla well now ur on a wall the only networks you can trust are your own the isp can watch everythign go by do deep packet inspection and all kinds of other bs and you would never know
everyone already saying it but i gotta chime in too
windows is not the issue its dumb ass users yes trojans are nasty and they can even do tricky stuff like rewriting the banking webpage so you don't even see your funds are gone but if you use even a little common sense you wont get infected. when i get a virus (usually because i was slumming it on the nastier parts fo the internet looking for viruses) i wipe my computer. i don't log into online banking anywhere i make sure that i trust that the machine is not compromised and if i even start to suspect it i wont go to online banking. i mean its like saying use macs because they dont get viruses well now they are and while some other options may be less likely to get infected but if you are just safe in the first place you will never have an issue
how bout a warning for bad urls
how bout before it sends you to destination ti warns you that this link is for security researchers and that it has malicious code behind it and if you click your ok
i agree not stego
i want to write a bot that uses true steggo like knows where to find the original image (from some google page or a image hosting site) and then keeps its data stored like in the sample pictures of the computer or something i think that would be a cool bot.
i think this an start to be a net neutrality issue at what point do we consider a machine infected and what if the person is sending mass mailing and one doesn't like the email they get. do you knock the entire server off because of one bad review if everyone else likes the emails? what about competitors abusing the system could i disconnect your business with enough reports that you ip is bad
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Justin Bieber BEGGED for a $200k RIM JOB – and got REJECTED
- Review Bigger on the inside: WD’s Tardis-like Black² Dual Drive laptop disk
- Inside Steve Ballmer’s fondleslab rear-guard action