* Posts by gollux

343 posts • joined 11 Sep 2007

Page:

If you're one of millions using Magento – stop whatever you're doing and patch now

gollux

Re: Magento does not properly validate this email

Myhandler, No, I don't think that's ok, and Passive Smoking's post illustrates exactly the reason why.

Now step back to SUPEE-5344 where a similar trick could be used to directly inject Admin accounts into the Admin user database with full administrative access. The patch was released in February but not really announced besides just having a download link on their website. They got in a dead panic about announcing the need to patch somewhere in April because the people who found it decided to publish. Man that was a three ring circus...

0
0
gollux

Re: I'd like to point out...

You making fun of Broken Perl? I have some broken Pointers I can pass your way.

0
0
gollux

Re: Magento does not properly validate this email

The validation happens clientside in Javascript. You can't get the exploit samples to pass unless you shut it off.

0
0
gollux

Re: seen this before

Magento does the reverse. Store anything, sanitize the output for proper application.

With proper use of parameterized queries, the XKCD joke never works, no input sanitization needed.

I'm kind of a belt and suspenders type guy and like the idea of taking junk out both coming and going, however; I've had it proved several times as to how input santization can totally fail.

I think security has to do with that defense in depth thing.

1
0

For fsck's SAKKE: GCHQ-built phone voice encryption has massive backdoor – researcher

gollux

Cure for that...

Exploit it hard and exploit it often, make everything intercepted public.

That way the playing field can be level instead of only of use for governmental and industrial espionage.

2
0

Zombie OS lurches through Royal Melbourne Hospital spreading virus

gollux

Be ready...

for another jump in the pricing of Affordable Health Care. All that expense has to be paid for somewhere, between drug companies thinking that they should increase the price on 60 year old pill compositions and the need to flush current technology out the door every 3-5 years in order to keep ahead of computer criminals. Next time you want an explanation on where the health industry is headed, go flush a toilet and observe the swirl.

0
0

Updated Android malware steals voice two factor authentication

gollux

Isn't it sweet...

Every time we come up with a supposed sure fire method to increase security, we soon have a nice method to completely circumvent it...

3
1

PDF redaction is hard, NSW Medical Council finds out - the hard way

gollux

It isn't redacted unless the document is recreated with the redacted content removed, versioning explicitly turned off and meta information scrubbed.

10
0
gollux

Re: Another common error...

Heh, the old cut'n paste to Notepad for redaction recovery, something I try every time I come across redacted text.

5
0

Facepalm time: MS Office update wipes custom Word autotext

gollux
Facepalm

Microsoft patch quality just keeps getting better over time! And now you don't have to worry whether they got applied or not, they will automatically be installed for you. All praise Microsoft for making computing a better and more efficient part of our lives!

15
0

Ho ho hosed: Asian biz malware pwns air-gaps, thousands of Androids

gollux
Trollface

Pretty dang cool! Don't we just live in interesting times?

Things will get better as time goes on!!! I just know it will!

1
0

Windows' authentication 'flaw' exposed in detail

gollux

So, the final paragraph essentially is saying, "Upgrade to Microsoft's latest desktop OS and Server software, trust us, enable these new untested doohickies and pray". Stuff starts hitting the fan pretty shortly...

Man, I'm getting tired of this... Between crap security patches and crap protocol implementation, I'm glad my other system is a Linux box... Time to give Winders a vacation, perhaps retirement.

26
21

Linksys routers vulnerable through CGI scripts

gollux

Hey, great news! Cisco/Linksys is so darn cool! Thank you for providing such quality equipment!

Oh, damn. Forgot the Sarcasm tags. And it isn't just their customer grade crap that's vulnerable either. They've been making great strides on their commercial equipment as well. Darn it... Need more sarcasm tags.

2
4

HTTPSohopeless: 26,000 Telstra Cisco boxen open to device hijacking

gollux

Welcome to the IoT which is in reality the IoC

Cisco is increasingly a high dollar trash marketer, the extra you pay for the name is increasingly for high performance security leakage.

7
0

Tor Project: Anonymity ain't free, folks. Pony up

gollux
Black Helicopters

Anonymity wants to be free...

0
0

Superfish 2.0: Dell ships laptops, PCs with huge internet security hole

gollux

Re: "You fucked up - you trusted Dell"

Loss of brain connection. It's funny how little time passed between Lenovo issuing such a statement and the first POC's started flowing to show how little a grasp on security the company had.

Dell's on my s-list for messing up a couple servers a few years ago. and s- doesn't stand for short.

When your server sounds like it's a couple bricks slamming around which turns out to be the hard drive subassembly, well... and now a trusted malware signing tool freely available... banishment to the ninth circle is in order.

2
0
gollux
Mushroom

Have you been Delled today? Hows it feel to be one of the little people.

I've just been Delled and I don't like it!

Gee, that's really Delled...

Go Dell off, MoDo...

Situation Normal, All Delled Up.

Just remember, Dell's a four letter word that has new meaning. You've all been warned.

4
0

Shocker: Smut-viewing Android apps actually steal your data

gollux
Mushroom

Monkey trap, stick your hand in the hole to retrieve the shiny object, find sharpened spikes driven in at an optimal angle so you can't get your hand out...

0
0

Homebrew crypto in Telegram hangout app full of holes, say security pros

gollux

The NSA paid me a million dollars to create a roll-my-own encryption scheme, create a hangout app and use some privacy drivel to get Jihadists to think it would be really cool to use...

0
0

Hillary Clinton: Stop helping terrorists, Silicon Valley – weaken your encryption

gollux

Vote for a level playing field for all. Eliminate encryption so that all industrial espionage becomes as easy as reading a newspaper. The US has nothing to give away anymore, it all leaked away years ago.

7
1

Faux Disk Encryption: Mobile phone crypto not a magic bullet

gollux

Sounds about right. Real world applications always trump academic air castle building.

Encryption is easy, good encryption and its implementation is really, really hard.

2
0

One Bitcoin or lose your data, hacked Linux sysadmins told

gollux
Mushroom

Re: Well,

Magento shoplift bug (it's embarrassing) Patch was out in February, Magento finally got around to breathless wittering that a patch was available in May, unpatched sites have been having admin user accounts direct injected ever since.

Current barn door is Zend SOAP XML API hole fails under UTF-8 (it's embarrassing)

8
0
gollux
Mushroom

Re: We'll be safe

DIY Magento tends to be unmaintained VPS with cargo cult configurations and unpatched Magento 1.3/1.4 codebase. About right.

Afterall, it's Linux, it's gotta be safe (true comment)

Virus on AWS? I can't believe it! Even with so much care and I'm attacked, I'm changing hosting (true comment)

2
0

Kill Flash: Adobe says patch to fix under-attack hole still days away

gollux
FAIL

Re: Stuck by other people's decisions

Yeah, Sage 100 2015 has this amazing thing they say we really can use to make our ERP experience amazingly simple...

Visual Workflow...

A sodding flash interface for their accounting package...

Which we don't use in our company...

Because we've eliminated Flash.

How to program like it was 2005, way to go Sage Software!

1
0

Radio wave gun zaps drones out of the sky – and it's perfectly legal*

gollux

It's Battelle, they probably hold a pending license from the FCC for its use as a drone interceptor used by civil and law agencies to remove drones from aircraft operations areas such as wildfire zones, etc. They're a defense and governmental research contractor.

0
0
gollux

Re: Strap a phone to it...

GPS signals are so crappily weak that it takes very little to completely neutralize them. You are using pseudorandom noise to bring the signal above the noise floor so it can be detected. All that's needed is a more powerful local pseudorandom noise generator. We shut down ability to use GPS within a 2 mile radius when our GPS signal regenerator failed, funny how the feds start knocking on doors when that happens. Experience gained from working in an avionics shop. What we navigate on is very tenuous and not authenticated.

5
0

Google bugle sounds patch release for Android Stagefright 2.0

gollux

Your likelihood of being patched is numpty unless you happen to own one of those devices whose manufacturers give you some sort of extended Android OS upgrade support, or if you are using one of those devices supported by the Cyanogen project. Time to start getting really critical of what you buy, if they don't give you at least 18-24 months of Android OS upgrades, or it isn't popular enough to get Cyanogen's attention, don't buy it.

Amazon seems to have a hound in the hunt, if they don't provide protection for their customers, they lose the income stream enabler known as the Kindle Fire...

4
0

Android 5 lock-screens can be bypassed by typing in a reeeeally long password. In 2015

gollux

Is this what's known in the security industry as a butthead overflow?

1
0

It's still 2015, and your Windows PC can still be pwned by a webpage

gollux

2015 is nearly over, complexity has increased and patches are still needed.

Is your IoT up to date as well?

In other news, reported that change is constant and accelerating... <= physical law paradox noted.

5
0

Boffins laugh at Play Store bonehead security with instant app checker

gollux

Yeah, we get it, Google Play Store and Android increasingly are the turds floating in the mobile device pool. Not enough competition, what with Apple, Amazon's Fire Android variant and Microsoft Windows 10 being the only other options out there. Wait, maybe it's time to dump Google Android.

2
14

Password 'XXXXairocon' pops Wi-Fi routers from ASUS, ZTE and others

gollux

In other news, idiot device developers still deploy telnet.

3
3

Blackhats using mystery Magento card stealers

gollux

The WordPress of eCommerce, brought to you by Magento, an eBay company(tm)

A bazillion plugins, lots of them for "free" created by security naifs and amateur programmers posing as Magento Experts.

0
0

Phishing gone: eBay patches to block session-jacking Magento holes

gollux

The WordPress of eCommerce, brought to you by Magento, an eBay company(tm)

A bazillion plugins, lots of them for "free" created by security naifs and amateur programmers posing as Magento Experts.

0
0

We need to know about the Internet of Things, say US Senators

gollux

About time?

Old men trying to learn new tricks.

So, does that mean that lawmakers are now trying to be up-to-date instead of a decade late?

Going to try understanding the new environment before passing laws instead of passing laws to uphold outdated business practice.

OMG, we hope they know what they're doing at the end of the day?

0
0

Hackers exploit fresh PC hijack bug in Adobe Flash Player, the internet's screen door

gollux

Re: So the internet is actually

Actually, the internet is a bunch of bongs. It's all that haze that keeps the programmers at Adobe from getting it right.

3
0

NIST issues 'don't be stupid' security guidelines for contractors

gollux

Equine movement control and the Governmental Monolith...

Last I heard, the horses were in Poland, not sure how they made the water passage over either the Atlantic or Pacific Ocean to get there. Also, about 500 gallons of 3-in-1 oil has been ordered to lube the rusty hinges, tracks, wheels and door latches so that the barn doors can be swung to the closed position.

2
0

Poison résumé attack gives ransomware a gig on the desktop

gollux

And block zip file attachments in your email client. They're mostly only ever used as attack mechanisms anymore.

0
1

Industrial Wi-Fi kit has hard-coded credentials

gollux

Re: How about this...

It should be legal to deliver them via airdrop by the ton packing crate. A few salvos through the R&D headquarters should suffice.

5
0

Latest Snowden leak: NSA can snoop internet to catch 'hackers' – no warrants needed

gollux

Re: Just how did Snowden get all this info?

Heh, you're just going to find out how incompetent the NSA is at security in the next couple of years. People always think incompetence in Security Agencies to be highly unlikely and I always get extremely amused when they act so surprised when their own incompetent surmise bubble gets pricked.

3
0
gollux

Re: too late

Heh, all this surveillance and Sony got owned, and now 4,000,000 Federal Employees have been owned. How much more has escaped notice in their Big Data experiment.

Sounds like the NSA can gather tremendous quantities of data, but protect us just as effectively as the TSA. 95% fail, 5% possible maybe...

11
0

Forget black helicopters, FBI flying surveillance Cessnas over US cities. Warrant? What's that?

gollux

Re: Time to

Don't worry, the time has come for mini-assassin drones with green laser detectors. I would be the first to buy one for disposal of the idiot that keeps flashing people on our local highway.

4
0

Airbus warns of software bug in A400M transport planes

gollux
Headmaster

Re: Under "wraps"? Seems odd....

The term is "Adversarial Law" or "Guilty until proven innocent". While the Church was a law unto itself and had it's fingers in the pie, the Secular System was a bit separate from the Inquisition.

2
8
gollux

At least it doesn't fly inverted on crossing the equator...

2
1

Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday

gollux

Pretty much the way Windows Server 2012 R2 operates out of the box. Buh? I had a process that was supposed to run overnight, why did it crash? Oh, jeeze the little icon in the tray says Windows Update rebooted the machine at 2:30 am...

Now when they get good enough to not require any restart except for kernel patches and give you fair warning that a system restart is needed, then I'll bite.

6
5

EXTREME COUPONING zeros checkout carts in eBay's Magento

gollux

Re: It seems like it would be slightly difficult to exploit

And if you're offering downloadables, it's all free.

0
0
gollux

Re: It seems like it would be slightly difficult to exploit

All sites running versions up to CE 1.9.1.0 are vulnerable... Until patched.

Your highly paid for Enterprise version also is a wide open swinging barn door.

And Magento suffers regression errors, when you upgrade, the core patched files are overwritten which causes your website to be open to the wide world all over again until re-patched with ALL the patches that apply to your current version.

The patch is a shell script patch that needs to be manually run with crossed fingers in the hopes it doesn't blow chunks.

After patching, you still aren't in the clear... Your fully patched website is still vulnerable.

If you're running the kludge compiler, recompile. Then clear your Magento cache, best if done by manually deleting the cache subfolders just to be sure. Then, if you're running an opcode cache, better clear that as well.

0
0
gollux

Mag-E-Bay...

Kind of a really snaky path from initial release to final exploit. It was one of Mag-E-Bay's best kept secrets that a patch existed till recently...

https://www.ostraining.com/blog/general/magento-shoplift/

0
0

When the Schmidt hits The Man: Look what the NSA made Google do

gollux

Google AI coming to a computer near you...

We welcome Google Cyberdyne Skynet into our daily lives!

Watch out NSA, the GDDN will be on your tail.

1
0

Watch: Nasty JPEG pops corporate locks on Windows boxes

gollux

Re: What’s going on here?

Heh, YouTube knows how to use HTML 5, but the Security Researcher doesn't... Amusing.

10
2

It's 2015 and a RICH TEXT FILE or a HTTP request can own your Windows machine

gollux

So, I had to deploy a brand new Windows 8.1 workstation the other day and by the time I got through, Microsoft had downloaded 1.8G of patches to install... Begs the question, where's the service pack to help prevent this? Oh, wait, we'll be getting Service Pack X (Windows 10) soon.

My question, after the same period of time after release, is Spartan going to be coming home on its shield?

7
0

Page:

Forums