This might be a silly question, but why are the POS systems hooked up to the net, and how is it possible for the attackers to find them?
53 posts • joined 2 Mar 2011
This might be a silly question, but why are the POS systems hooked up to the net, and how is it possible for the attackers to find them?
It's not just the fact that the salary is low compared to the private sector.
You've also got to factor in the personal risk that comes with such a job. You're instantly a more interesting target.
Then there are the additional restrictions placed on you - not being able to discuss your job, keeping a low profile etc, not to mention the travel restrictions you face that even last for a year after you've got sick of the pay and quit.
Hardware-based encryption certainly sounds interesting. I'm guessing you have to enter the key in the same way as for conventional laptop hard drives.
Would this mean that applications such as TrueCrypt are no longer needed?
I haven't used Wordpress that much, but if I'm not mistaken it is possible to do a Wordpress backup (posts, comments) etc., bomb the WordPress directory, reinstall WordPress, theme and plugins and restore from backup. Seems like this would be safer than manually looking through files in an attempt to discover malicious code etc. It doesn't take that long to reinstall everything.
Perhaps I'm missing something though; if anyone knows any better I'd be interested in hearing.
I think it's such a shame that people like him, who obviously have at least some skill/talent/dedication, spend their time and effort on just causing mischief rather than doing something productive and beneficial. I know people bitch a lot about the infosec community, but I'm sure it can't hurt to have a few more white hats around. I've no idea what motivates people to join the dark side, but I find it rather disheartening.
I think what's really interesting is that people are just accepting friend requests left and right. What's the point of 'friending' people you don't even know? Is it to boost your friend count as though that holds some sort of social credibility? Are people really that insecure/lacking that much self-esteem that they want to 'friend' everyone?
Back when I used Facebook, I only ever accepted people whom I was actually friends with and spoke to on a regular occurence. Sure, I only had a few dozen friends on there, but I'd go for quality over quantity anytime.
"Facebook Ireland Ltd is already compliant with European Union data protection law and acts as the data controller for these users."
'Europe vs Facebook' begs to differ.
"Ghioni said his "precise mechanism" would need the "collaboration" of operating system manufacturers such as Microsoft and Apple to log all activities on their systems, according to the automated translation of the report."
My interpretation of this is system logs that are then uploaded to some central store.
What's next? We all wear pinhole cameras on our coats to monitor what we've been up to?
How soon before Linux becomes outlawed by not following this requirement?
Give me a break.
You just saved me from writing that.
It's the only way to deal with them.
Let me just fix this part:
"Security by obscurity may not be so bad after all ***when used as an additional layer of defense***".
That's better. Surely this is obvious to anyone, though. since any extra layer of security is a good thing.
"according to an email John 'Warthod9' Hawley, the chief administrator of kernel.org, sent to developers on Monday. It said a trojan was found on the personal machine of kernel developer H Peter Anvin"
It wasn't his machine that was compromised.
One thing I always wondered was if a source repository is hacked and its contents modified, what is there to stop them modifying the list of hashes too? What with all the (in)security issues with websites, it seems that it wouldn't be too farfetched for such an eventuality to occur.
To get it to work, you need to edit your profile phone numbers and then view the profile from *another* account (Right click on contact -> 'View Profile').
I don't particularly like Facebook - I have an account that I log into once every few months just to have a quick look at what old friends are getting up to, but that's it.
That being said, I feel some are being a little harsh in the way they are expressing their opinion of the author for this article. It was not the author suggesting a $1tn valuation, rather citing a WSJ interview article regarding valuations and the 'tech bubble'.
One cannot rule out entirely that Facebook will not be as successful as Google in terms of revenue and worth, however personally I don't see it. Then again, if I could, I would probably be raking in the cash myself working for them.
My gut feeling, though, is that eventually Facebook will be superceded by the next best thing, whatever that may be.
As these are US artists, why aren't the pair being extradited to the US as with the British CS student
(Not that I want that to happen, though)?
The pair blackmailed, planted malware and went on a phishing rampage for financial gain by selling copyrighted material, yet the CS student merely linked to copyrighted material?
Some inconsistencies going on.
Please tell me they were using at least salted hashes.
Why is it every one of these large companies are apparently hiring complete idiots? I just don't understand, this is such basic stuff. Is there something I'm missing?
"if the currency were to become less attractive to pay for illegal drugs..."
Not too keen on that spin in the article, it sounds like that's all bitcoins are used for. Of course they *could* be used for such activities, including laundering, but as with everything else it's not the technology that's to blame.
My thoughts and prayers are with his family. Rest in peace
I'm pretty sure they'll cave and meet buyer demands, since if they don't they will be directly upping MW3's sales.
In all seriousness, that is some beautiful-looking technology. The glow of our atmosphere behind it tops it off perfectly.
Eagerly awaiting N.A.O.M.I./L.I.N.D.S.A.Y.
There were two main reasons why I didn't choose Manchester (I should note I'm a local).
First, the entry requirements were too high (AAB or AAB a few years ago if I recall).
Secondly, it's in Manchester. I preferred a campus university where everything's in one enclosed space.
What I don't understand is how the compromise of RSA tokens resulted in network breaches. The purpose of two factors is to prevent problems if somehow one factor is compromised. It shouldn't be feasible for both to be had.
The site was unavailable when I tried to access it, so I'm just going off the article. If they have actually published the user details (email, password etc.) then they have no credibility whatsoever. You don't start complaining about a lack of security and then just show the contents to the world. Karma - 1 for them.
"Users with IP addresses based in the US and UK, however, were taken to sites offering the Mac scareware and Windows malware."
That's very interesting. Does that suggest the attacks are at least somewhat political in nature? Or is there something else about the US and UK?
"The ban is apparently aimed at attracting more shoppers into the centre of Barnsley – something which could arguably better be achieved by demolishing the place and rebuilding it from scratch."
You, Sir, win. Everything.
I heard artists earn around 1% of each sale and the rest goes to the label. That's a whole load of BS in and of itself. Then you get these artists who, despite being *paid* to *work* at gigs, have a whole host of demands that go along with each one, such as tea made from leaves picked by blind Tibetan monks brewed with the tears of a child born by immaculate conception The entire industry is messed up, it would never slide elsewhere.
"assets including two Porsches, one Mercedes, seven bank accounts containing more than $1.6m, and four homes and three condominiums with a total value of more than $2.6m."
I'll eat my hat if a cent of this goes back to the buyers.
Calacanis does anything he can to get attention in order to get page views. He's the king of link baiting.
It's news because they have improved upon previous methods in such a way that the feasability of the attack is increased and the accuracy of which can be constantly improved upon through sampling and training. Also because Skype is the main target for such an attack (popular and thought to be secure).
This is my best guess based on having previously read into the research this was based on (concerning VBR in VoIP).
The music would have to be loud enough and varied enough (e.g. DnB as opposed to classical) in order to make a significant impact upon the bitstream (such being the nature of VBR encoding) in relation to the voice. Not sure if that makes sense.
If you had two people speaking simultaneously with short pauses between words and they both spoke with the same loudness, it would be harder to separate the words. If one person said one word, and the other another, the resulting bits would be as if only one person had spoken, and what he/she spoke was a single messy mash of the two words.
Perhaps an analogy is in order... if quiet background music is represented by a drop of yellow paint, and loud voice is a pot full of blue paint, mix the two together and you get a very-slightly-green blue paint. The yellow wasn't substantial enough to significantly alter the result and anyone looking at the paint will say it's blue, despite there being some yellow in it.
If you have a *pot* of yellow paint (*loud* background music) and mix the two together, you have a completely green paint. You have no idea if this was the original colour paint, or a combination of a range of colours, and there is increased difficulty in determining what the original colours/shades were.
tl;dr - Music would need to be noisy and make your voice pretty indistinguishable to a machine
As with most side-channel attacks, they're generally either not thought of at the time or considered to be so theoretical in nature that given the application it is safe to ignore.
People generally say they buy it for the online multiplayer - some don't bother with the singleplayer at all. It's disappointing that the singleplayer gets shorter each time though. The problem is they get away with it every time, regardless of how many people complain about what.
The article makes sense to me. The one thing I don't understand is their countermeasure, specifically how it does anything other than increase the factors to consider when measuring the time taken.
SQL injection? Seriously?
Where are the security folk in these companies and what are they doing?
It's just pitiful that these companies are falling down one after another after another.
I'm no expert but I'm pretty sure a ping wouldn't work. Essentially, what you're actually referring to is the DNS lookup that takes place when you ping a URL. I'd imagine that if you were connected directly to the Chinese ISP, the DNS lookup would fail since their nameservers will not have any entry for facebook.com and therefore will not return an IP address.
Can someone please explain what they actually do with the data that they retain?
My first thought was for targeted ads with AdSense, but that uses the current page being displayed if I remember rightly.
Anyway, thumbs down for Schmidt.
A 16-year-old is doing research like this? I now feel completely insignificant.
Kudos to him though, it's good that there is support and encouragement for such uses of talent.
Network operators are already required to maintain a log of your location data based on cell tower triangulation anyway. What would be the point?
Wait, don't tell me... 2011 Recruitment plan.xls?
You'd have thought a place like that would have things seriously locked down.
Locked down like 'no internet access'.
Personally, when shopping for items that can be faked in whatever way (USB storage, perfumes etc.) on eBay, I find the most effective way of eliminating 95%+ of fakes is:
[X] UK Only
[ ] Worldwide
Presumably because the Android platform is now the market leader, and is set to increase to half the market according to Gartner. That's a pretty huge deal, and additional public sector contracts would certainly play a role in keeping Android dominant.
"but disk I/O has become a bottleneck at the platter surface level, and is set to remain that way."
...for a few years until inevitably SSDs become the norm and our children say "your drives moved!?!"
Or maybe even "drives!?!"
I don't think the employee can be entirely to blame here.
Unless the company has a well-defined protocol for communication, how is an employee to know whether an email purporting to be from [email protected] is genuine or not?
Additionally, as the attachment contained a zero day exploit for a third-party app, I'm guessing that the email antivirus and system antivirus did not pick anything up.
Probably due to the extensive coverage in the media, one would assume.
If they just sat back idly and watched the events unfold, I'm sure people would have a thing or two (more) to say about our government.
One thing I didn't quite understand in this analysis was the remark about using so few Tornadoes in Libya. Surely this is a good thing as, as pointed out by the author, their payloads, running costs etc. are expensive.
Not that I know anything about military stuff though.
If hackers really did get to the crown jewels, thus compromising SecurID's security, RSA shouldn't hestitate for even a moment to reveal this information publicly. They cannot be taken seriously as a security vendor if the security of their customers is not their highest priority.
I would have thought the best option would be for them to assume the worst - yes, by all means refresh customers' memory regarding best security practices, but how about also telling them something along the lines of 'While we investigate, assume SecurID is broken and take necessary measures to mitigate its loss', as opposed to keeping quiet and hoping for the best.
I was under the impression that ANY amount of radiation increases your risk of health issues, similar to the mutations that occur from smoking a few cigarettes, being somewhat like Russian roulette where the bullet is a bad mutation - while some people can happily puff away for 30 years without cancer, others may develop it quickly.
Of course, we're all exposed to differing levels of radiation all the time from a multitude of sources.
However, surely it can't be considered ridiculous for people to prevent their young children from being exposed to yet another source?
If anyone has some knowledge on that, I'd appreciate hearing it.
I have to agree; this was certainly an inevitability.
Scumbags indeed, however they are scumbags in general. Turning the disaster into their opportunity makes no difference, and would actually raise an eyebrow if they didn't do so.
You have to remember that not everyone knows what HTTPS really means, let alone that their data can be redirected to another ISP, rogue or otherwise. I'd hazard a guess at saying a large majority of those who do have at least some clue about HTTPS think it's to protect them in public/open wifi hotspots, libraries etc.
I think the reason why some people here, and people in general, think that it is not a 'minor incident' is for the fact that the incident at the power plant immediately proceeded the devastation caused by the earthquake and following tsunami, causing people to associate said devastation with the Fukushima incident.
Given all the footage of the damage and loss of life, it's easy for people to be a bit hysterical about the Fukushima plant.
I admit that I, myself, was roped into the media frenzy surrounding it, following it every day, not knowing what to make of the information coming out. I eventually stopped following it because I kept reading seemingly contradictory information - generally along the lines of "radiation levels raised but well below limits for concern to health" and "OH GOOD GOD HEAD FOR THE HILLSSSS".
If the nuclear incident had happened on its own, I would imagine there would have been less of a panic about it.
How about it be mandatory for people with access to the USB to have their own details/ID photo/risky Facebook pictures from Dave's bachelor party stored on the drive?
Perhaps they may take a little more care in the future then.
This is a good example of why it's important to secure your wifi. I know people who refuse to do so.
When confronted about loss of speed they might encounter, they say they only use the internet for browsing anyway.
When confronted about privacy issues, they say they have nothing to hide.
That may be true, but ignorance won't stand up well for you in court, after some bugger has essentially framed you by hopping on your connection.