back to article DDoS sueball, felonious fonts, leaky Android file manager, blundering building security, etc etc

This week we wrangled with alleged Russian election meddling, hundreds of millions of username-password combos spilled online, Oracle mega-patches, and claims of RICO swap-gangs. While all that was happening, here are a few more bits and bytes of infosec news. Swipe right… to steal private info for Safari It seems a new …

  1. Ken Moorhouse Silver badge
    Coat

    The moral of the story: always forge in Cuneiform

    Ok, I'll keep taking the tablets.

  2. steviebuk Silver badge

    Es file explorer

    Went to shit a while ago. Forced to use it as can't find anything better for NAS access

    1. Anonymous Coward
      Anonymous Coward

      Re: Es file explorer [alternative app (fast NAS access)]

      steviebuk,

      For fast NAS access use 'FX File Explorer'.

      I had the 'very slow NAS access' problem with ES Explorer and after trying many 'xx Explorer' named apps found 'FX File Explorer'.

      It is a paid extra for the optional 'FX+' Add-On [for Access to networked computers, including FTP, SSH FTP, WebDAV, and Windows Networking (SMB1 and SMB2) +++] BUT it does access my NAS in seconds (time to scan and display files).

      See https://play.google.com/store/apps/details?id=nextapp.fx&hl=en_US

      1. Griffo

        Re: Es file explorer [alternative app (fast NAS access)]

        Not as full featured - but free - AndSMB provides both SMBv2 and SMBv3 support.

    2. Snake

      Re: Es file explorer went to shit

      RE: ES File Explorer. Oh yes, it went to shit and this just pushes it down into the septic field.

      RE: replacement. Like you, I stayed with ES far too long as I didn't know of a good replacement. However, I just downloaded Total Commander. LAN, FTP and SFTP modules are available for free download (direct link or Google Play) and they do indeed work. Not nearly as pretty but no code bloat, no ads, no unnecessary bull, yet very functional. Give it a try!

      1. Alistair Silver badge
        Windows

        Re: Es file explorer went to shit

        I'm liking Total Commander at the moment -- I've been looking to replace ES for quite some time.

        Now I need something to replace the (ES) task manager that originally attracted me....

    3. Dan 55 Silver badge

      Re: Es file explorer

      Try Explorer or Ghost Commander with the SMB plugin.

      I think the local HTTP server for ES File Explorer would be for transferring files over LAN or WiFi Direct, but in an effort to make it tap-and-drool they opened up a honking great backdoor.

      1. steviebuk Silver badge

        Re: Es file explorer

        Ooo some nice suggestions. I'll have a look. I used VLC the other day but that as a weird lag issue now and then. You'll be mid way through a file and it will pause for about 30 seconds to a minute then recover. It's odd.

        Sometimes when the NAS isn't available or I'm on holiday at a lodge, I'll create a share on Windows and then access the files through ES file explorer that way. But have wanted a replacement for ages. Will take a look at the others. Thanks.

  3. Chewi
    Thumb Down

    Don't touch ES File Explorer with a barge pole

    I vaguely recall it was good once but it borders on malware now, this vulnerability aside.

    1. Phil Kingston Silver badge

      Re: Don't touch ES File Explorer with a barge pole

      I think the last version I used started to get all touchy-feely and ask if it could clean up some files it identified as no longer required. And had some funky UI bits and bobs that meant it was hard to get to actually use it as a File Explorer.

      If I'd wanted a questionable-value "system optimizer" data slurper I'd have downloaded one. I want a file explorer to allow me to explore files.

      1. Charles 9 Silver badge

        Re: Don't touch ES File Explorer with a barge pole

        Saw that, too. I think the last straw was some lockscreen spam, though.

    2. ds6 Bronze badge

      Re: Don't touch ES File Explorer with a barge pole

      v3.2.5.5 was the last non-malware version—but even it suffers from this vulnerability. I am thoroughly spooked, but at least I very rarely connect to public WiFi unless 100% necessary. Constant use of private VPNs also helps :)

      https://github.com/fs0c131y/ESFileExplorerOpenPortVuln/issues/10

  4. Anonymous Coward
    Anonymous Coward

    Premisis

    So let me see, at some point the vendor will fix the cyber problems. But all of the physical endpoints around facilities will still be in keyed-alike sheet metal boxes with locks you can probably get from a cereal box. Secure?

    If you really care about a facility, get guards, gates, and guns. Higher threat? Doggies.

    1. DCFusor Silver badge

      Re: Premisis

      Deviant O, is that you? https://youtu.be/Rctzi66kCX4

      Skip out to 6:06 or so. No need to pick locks when most installations are so bad you can just walk in without even breaking step - mis installed striker plate....stuff like that.

      I've seen this guy open a locked door to a bank with a mouthful of whiskey spit through the crack to defeat the emergency let me out IR detector.

      Many jurisdictions require all keys for a building to be put in a lockbox outside, which are all keyed the same so people like firemen can get in easily. And you can just buy that key that gives you all the others.

      Lock Picking Lawyer (recommended YT) is good - but this guy is better. Picking even a simple lock is a last resort.

      Guards and dogs...defense in depth (See Bruce Schneier on that topic too).

      1. JWLong

        Re: Premisis

        Many jurisdictions require all keys for a building to be put in a lockbox outside, which are all keyed the same so people like firemen can get in easily. And you can just buy that key that gives you all the others.

        The key to the lock box, called a "Knox Box" are not available to just anyone. Only fire departments are allowed to have a key to these boxes, and individual fire departments are allowed to spec special keying.

        At $300.00 for the smallest box, they are a (very) controlled access item.

        1. DCFusor Silver badge
          FAIL

          Re: Premisis

          Obviously you haven't watched this guy's videos. The keys are for sale on ebay and other places if you know the #, which I won't post here - but they are listed in his videos, along with screenshots of them for sale from various vendors on ebay as well as THE ORIGINAL MANUFACTURERS. Prices are under $20, not 300+.

          Another link for short attention span types: https://www.youtube.com/watch?v=rnmcRTnTNC8&t=154s

          "Not allowed" means nothing at all.

          How much stuff is illegal yet widespread? How many criminals are law-abiding? I'm sure you know cocaine, driving drunk, murder, burglary (relevant here) and tons of other stuff is "not allowed", right?

          Crossing the border of the US without proper procedure is "not allowed", but an estimated 12 million or so have made it fine.

          Watching this guy and other pen testers just walk in, needing at most only a small keyring with around 10 keys that cover > 90% of all lockboxes, is illuminating. And he and others list the specs of said keys, in standard locksmith lingo, as well as mention which ones you can just duplicate at your hardware store.

          I'm sure police cruisers, which are pretty much all keyed the same, which become taxis, still keyed the same, are the exception, except they aren't and many departments don't even know this as he points out. You can't spec something be made more safe if you assume it already is.

          I believe you are either uninformed or hoping that others remain so.

          The status of physical security now is kind of like that of LAMP before someone realized how easy SQL injection was (or any number of now-obvious flaws).

  5. Jamie Jones Silver badge

    Not acceptable

    "An insecure Android file manager app, ES File Explorer, with 100-million-plus downloads, opens a HTTP web server to the local network, allowing any miscreant able to reach the device to download files at will,"

    That's not a bug, or an oversight, that's a fundamental coding errror.

    I wouldn't trust that author again

    1. ThatOne Silver badge
      Unhappy

      Re: Not acceptable

      > a fundamental coding error

      Coding a fully functional HTTP server is a "coding error"? Some error! There are people who would want to do it on purpose and yet fail.

      This is definitely a voluntary attempt to get into peoples' phones.

      1. Jamie Jones Silver badge

        Re: Not acceptable

        I presumed it was added to allow access to the files from the users other machines, in which case, it was a coding error to not have any authentication.

        A backdoor that can only be accessed locally is a big hole, but not much use for the person who wrote it.

  6. Anonymous Coward
    Anonymous Coward

    wrong headline?

    Shouldn't that have been "Telco Exec grabbed by his fonts"?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019