DDoS sueball, felonious fonts, leaky Android file manager, blundering building security, etc etc This week we wrangled with alleged Russian election meddling, hundreds of millions of username-password combos spilled online, Oracle mega-patches, and claims of RICO swap-gangs. While all that was happening, here are a few more bits and bytes of infosec news. Swipe right… to steal private info for Safari It seems a new …
steviebuk,
For fast NAS access use 'FX File Explorer'.
I had the 'very slow NAS access' problem with ES Explorer and after trying many 'xx Explorer' named apps found 'FX File Explorer'.
It is a paid extra for the optional 'FX+' Add-On [for Access to networked computers, including FTP, SSH FTP, WebDAV, and Windows Networking (SMB1 and SMB2) +++] BUT it does access my NAS in seconds (time to scan and display files).
See https://play.google.com/store/apps/details?id=nextapp.fx&hl=en_US
RE: ES File Explorer. Oh yes, it went to shit and this just pushes it down into the septic field.
RE: replacement. Like you, I stayed with ES far too long as I didn't know of a good replacement. However, I just downloaded Total Commander. LAN, FTP and SFTP modules are available for free download (direct link or Google Play) and they do indeed work. Not nearly as pretty but no code bloat, no ads, no unnecessary bull, yet very functional. Give it a try!
Try Explorer or Ghost Commander with the SMB plugin.
I think the local HTTP server for ES File Explorer would be for transferring files over LAN or WiFi Direct, but in an effort to make it tap-and-drool they opened up a honking great backdoor.
Ooo some nice suggestions. I'll have a look. I used VLC the other day but that as a weird lag issue now and then. You'll be mid way through a file and it will pause for about 30 seconds to a minute then recover. It's odd.
Sometimes when the NAS isn't available or I'm on holiday at a lodge, I'll create a share on Windows and then access the files through ES file explorer that way. But have wanted a replacement for ages. Will take a look at the others. Thanks.
I think the last version I used started to get all touchy-feely and ask if it could clean up some files it identified as no longer required. And had some funky UI bits and bobs that meant it was hard to get to actually use it as a File Explorer.
If I'd wanted a questionable-value "system optimizer" data slurper I'd have downloaded one. I want a file explorer to allow me to explore files.
v3.2.5.5 was the last non-malware version—but even it suffers from this vulnerability. I am thoroughly spooked, but at least I very rarely connect to public WiFi unless 100% necessary. Constant use of private VPNs also helps :)
https://github.com/fs0c131y/ESFileExplorerOpenPortVuln/issues/10
So let me see, at some point the vendor will fix the cyber problems. But all of the physical endpoints around facilities will still be in keyed-alike sheet metal boxes with locks you can probably get from a cereal box. Secure?
If you really care about a facility, get guards, gates, and guns. Higher threat? Doggies.
Deviant O, is that you? https://youtu.be/Rctzi66kCX4
Skip out to 6:06 or so. No need to pick locks when most installations are so bad you can just walk in without even breaking step - mis installed striker plate....stuff like that.
I've seen this guy open a locked door to a bank with a mouthful of whiskey spit through the crack to defeat the emergency let me out IR detector.
Many jurisdictions require all keys for a building to be put in a lockbox outside, which are all keyed the same so people like firemen can get in easily. And you can just buy that key that gives you all the others.
Lock Picking Lawyer (recommended YT) is good - but this guy is better. Picking even a simple lock is a last resort.
Guards and dogs...defense in depth (See Bruce Schneier on that topic too).
Many jurisdictions require all keys for a building to be put in a lockbox outside, which are all keyed the same so people like firemen can get in easily. And you can just buy that key that gives you all the others.
The key to the lock box, called a "Knox Box" are not available to just anyone. Only fire departments are allowed to have a key to these boxes, and individual fire departments are allowed to spec special keying.
At $300.00 for the smallest box, they are a (very) controlled access item.
Obviously you haven't watched this guy's videos. The keys are for sale on ebay and other places if you know the #, which I won't post here - but they are listed in his videos, along with screenshots of them for sale from various vendors on ebay as well as THE ORIGINAL MANUFACTURERS. Prices are under $20, not 300+.
Another link for short attention span types: https://www.youtube.com/watch?v=rnmcRTnTNC8&t=154s
"Not allowed" means nothing at all.
How much stuff is illegal yet widespread? How many criminals are law-abiding? I'm sure you know cocaine, driving drunk, murder, burglary (relevant here) and tons of other stuff is "not allowed", right?
Crossing the border of the US without proper procedure is "not allowed", but an estimated 12 million or so have made it fine.
Watching this guy and other pen testers just walk in, needing at most only a small keyring with around 10 keys that cover > 90% of all lockboxes, is illuminating. And he and others list the specs of said keys, in standard locksmith lingo, as well as mention which ones you can just duplicate at your hardware store.
I'm sure police cruisers, which are pretty much all keyed the same, which become taxis, still keyed the same, are the exception, except they aren't and many departments don't even know this as he points out. You can't spec something be made more safe if you assume it already is.
I believe you are either uninformed or hoping that others remain so.
The status of physical security now is kind of like that of LAMP before someone realized how easy SQL injection was (or any number of now-obvious flaws).
"An insecure Android file manager app, ES File Explorer, with 100-million-plus downloads, opens a HTTP web server to the local network, allowing any miscreant able to reach the device to download files at will,"
That's not a bug, or an oversight, that's a fundamental coding errror.
I wouldn't trust that author again
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
