* Posts by FlamingDeath

317 posts • joined 30 Oct 2015

Page:

What's that smell? Oh, it's Newegg cracked open by card slurpers

FlamingDeath
Bronze badge
Pint

Re: Content Security Policy

securityheaders.com

Thanks for the shout, I was a C, I am now A

Beers all round

1
0
FlamingDeath
Bronze badge
Thumb Up

Whats that smell?

This article definietly needs this scene from Fight Club as it appears to be lacking a picture

0
0
FlamingDeath
Bronze badge

This is clientside

With the way the world is going with CDN's serving god knows what, can you imagine end-users running outbound default DROP policies in their firewalls?

I tried that once a long time ago, and it was annoying then, this was before CDN's started becoming the norm

0
0
FlamingDeath
Bronze badge

Re: How did they get the code on the page?

I'll be honest, XSS is a little confusing for me, there are non-persistent and persistent XSS

This was a persistent XSS attack, so they would have had to store their code somewhere, DB?

To get their code on there, they are probably exploiting either some unpatched or 0day vuln or SQL injection, but I am just guessing here

1
0
FlamingDeath
Bronze badge

Re: Certificate does not equal legimitate - never has

That's not really relavant in this case, because the domain (new egg stats.com) was pointed to from within an embedded javascript and would not have been shown in the address bar, it might not have shown up in the Noscript blocked list either as a 3rd party script, showing the dodgy domain name, because the script is being served by the 1st party company website database, not a 3rd party, Noscript would very much likely have flagged it as a "Cross-site suspicious requests", whether or not an end-user would know its legitamacy or not is another question, it sounds like a domain owned by newegg, as opposed to some autogenerated domain name with random gibberish, but with hindsight we know it isn't.

I'm purely going by the information in this screenshot

1
0
FlamingDeath
Bronze badge

Re: 2FA

This was a persistent XSS attack AFAIK, some banks do carry out ad-hoc security checks for unusual transactions, for example phoning the customer. There is no ability as of yet to enter a 2FA OTP into a POS terminal

I fail to see how a bank can mitigate the failing of a separate business in securing their website, especially one which allows for financial data to be inputted. A better solution would have been for the compromised business to have at least some inkling what is going on in their infrastructure, but that costs money for staff to implement and carry out such a task. Unfortunately these business love money too much and dont want to properly invest in security

I have my own website, and while its not the most complicated by any means, I know evey single bit of code thats on there, can these businesses say the same about their websites?

One possible solution would be to cronjob a script which searches their DB's and code for :// and report back what it finds, but for that to work, they have to at the very least know what their estate looks like

I've seen this kind of clusterfuck before at a company I worked for briefly, they had no 2FA on their registra account but had a DNS record pointing vpn.TLD.com to a IP address which was a GoDaddy shared hosting webserver in the USA which had someting like 2,000 websites when checking reverse IP, they didnt have any offices in that region. Think about it, no 2FA on registra account, VPN pointing to shared hosting websites, in a country where they didnt have any presence. When I asked about it, nobody knew what it was. This company was a joke and was run by jokers

4
0
FlamingDeath
Bronze badge

Re: Barbarians!

Video

1
0
FlamingDeath
Bronze badge

Re: Optional

Looking at the whois data for that domain (new egg stats.com) it was created 13/08/2018, I suspect its not owned by NewEgg, and was registered by the crims, via a company in Panama no less, that place where all the criminals stash their ill-gotten gains

0
0
FlamingDeath
Bronze badge

That bastion of criminality

I did a whois on (new egg stats.com) out of curiosity, its been registered through a 3rd party, "WhoisGuard Protected" based in that bastion of criminals, Panama

Is this a national service that Panama offers, protecting criminals?

I wonder what the words are to their national anthem

It seems part of the chorus goes like this:

"It is necessary to cover with a veil from the past"

1
0

Now here's an idea: Break up Amazon to get more shareholder cash

FlamingDeath
Bronze badge

Another sociopath

Another money-hoarding sociopath opens their mouth

“I want more money, whaaaaa”

These people literally feel no shame about their greed

4
0

Amazon probes alleged bribery of staffers for data on e-tail platform

FlamingDeath
Bronze badge

Sociopaths

There are more around than you think there are, and they’re usually more successful in life than none sociopaths, and they breed

Evolution 101

5
0

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS

FlamingDeath
Bronze badge

pi-hole

I ran pi-hole for a while, I found it to be really buggy and was a little concerned it was running as root, considering the amount of buggyness I experienced

0
0
FlamingDeath
Bronze badge

Some call it lazy

I call it muppetry

“After several hours, Joe finally gave up on logic and reason, and simply told the cabinet that he could talk to plants and that they wanted water.”

0
0

Solid password practice on Capital One's site? Don't bank on it

FlamingDeath
Bronze badge
Pirate

Re: There's an addon for that

Interesting, and what is the privacy policy for said "addon"?

https://addons.mozilla.org/en-GB/firefox/addon/don-t-fuck-with-paste/

Permissions

This add-on can:

Access your data for all websites

Access browser tabs

https://blog.mozilla.org/addons/2018/02/01/understanding-extension-permission-requests/

"There is one permission in particular, “Access your data for all websites”, that we’ve gotten many questions about since the feature launched. The reason why it’s worded this way is because a web page can contain virtually anything, and some extensions need to read everything on it in order to perform an action based on what the page contains.

For example, an ad blocker needs to read all web page content to identify and remove ad code. A password manager needs to detect and write to username and password fields. A shopping extension might need to read details of the products you’re searching for.

Since these types of extensions wouldn’t know whether any particular web page contains the bit it needs to modify until it’s loaded, and neither does Firefox, it needs access to everything on a page so it can look for and modify the appropriate parts. This means that in theory, while rare, a malicious developer could tell you their extension does one thing while it actually does something else."

Thankfully, most people in this world are honest and upright. Unfortunately, a disingenuous monetary system means sometimes people will be tempted to defraud others.

1
0

Security procedures are good – follow them and you get to keep your job

FlamingDeath
Bronze badge
IT Angle

Too much HUBRIS in IT by people who think they know everything

Too many companies rely on their single antivirus offering heavily and they think just because its reported a binary as clean, that it is actually clean of malicious code. The amount of times I have uploaded binaries that have been downloaded from official website to VirusTotal and found them to be compromised is happening more often.

I only have to give the example of Shellter to prove my point, I've used this and tested it against Security Essentials and others, they do not fare well in detections

When you think you know everything, you're never going to improve your learning

I know I am smart, because I know I know nothing

1
0

Don't put the 'd' and second 'i' in IoT: How to secure devices in your biz – belt and braces

FlamingDeath
Bronze badge

NIST

“Use it to enforce the basics such as mandating a six-digit unlock code that has to be changed regularly”

I thougt we’d move on since that out-dated advice of making end-users change credentials often?

8
0

Activists rattle tin to take UK's pr0n block to court

FlamingDeath
Bronze badge

age checks

Well the likes of Pornhub dont seem to do age checks on user-submitted content

Not sure what is worse, children watching porn or children getting paid to do porn

1
0

Wannabe Supreme Brett Kavanaugh red-faced after leaked emails contradict spy testimony

FlamingDeath
Bronze badge

It was a September morning when America was tricked by sick men...

"Further, the process of transformation, even if it brings revolutionary change, is likely to be a long one, absent some catastrophic and catalyzing event – like a new Pearl Harbor." - PNAC

Remo Conscious - We Know

0
0

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

FlamingDeath
Bronze badge

Re: props for the Unreal Tournament reference

Well Cisco certainly is on a Killing Spree™

Killing security that is...

0
0
FlamingDeath
Bronze badge
Flame

Re: Cisco roaming privilege escalation vulnerability

"Why didn't Cisco pick up these vulnerabilities in the testing and debugging stage of these security devices"

Because doing the right thing, is inherently opposed to in the capitalist model, doing what profits is the only way in this economic model.

I'm giving humanity a confident and generous 10 years left on this rock before it burns

0
0

Official: Google Chrome 69 kills off the World Wide Web (in URLs)

FlamingDeath
Bronze badge

Re: Full URL

This is no different than those dickheads at M$ deciding their users dont need to see the file extensions, spawning all kinds of trickery, for example providing a file called evil.txt.exe and including a text file icon into the exe to convince users further that it is a text file

There is a unspecified prize for anyone who can figure out the thinking behind this.

Anybody?

5
0

FBI fingers the Norks it wants to pinch for Sony hack, WannaCry attacks

FlamingDeath
Bronze badge
Facepalm

Re: How long until a US Government hacker gets the same treatment?

Did you really just use the words intelligence and military in the same sentence?

1
0
FlamingDeath
Bronze badge
Big Brother

UMBRAGE

"a section titled “Umbrage” that details the CIA’s ability to impersonate cyber-attack techniques used by Russia and other nation states."

https://www.wired.com/2017/03/wikileaks-cia-dump-gives-russian-hacking-deniers-perfect-ammo/

Nuff said...

Apparently, Eternal Blue was "stolen"

That's the best alibi ever, my dog ate my hacking tool and shat it out in NK

0
0

Tesla's chief accounting officer drives off after just a month on the job

FlamingDeath
Bronze badge

I found the 2hr+ podcast far more interesting than the brief toke on the spliff

3
2
FlamingDeath
Bronze badge

Re: Tough times

To be fair, Thailand is a magnet for paedos, and just because he has a wife, it doesn't mean he isn't a paedo

Hopefully a PI is looking into this

Sometimes people just give you the creeps, and I suspect this guy gave Elon the creeps.

0
7

HTTPS crypto-shame: TV Licensing website pulled offline

FlamingDeath
Bronze badge

Re: TV licensing agency

Do you mind telling the TV licensing gang of that little detail?

They seem to equate "no tv license" with "they need a tv license" irrespective of how someone uses their TV

Anybody who disbelieves this, I highly recommend you to cancel your TV license, remove all BBC channels from your tuned TV, and then watch the highly threatening letters roll in from the BBC tv licensing gang.

By all means vote down, it wont change this little fact

4
1
FlamingDeath
Bronze badge

Re: scrap tv licence

No idea why you have so many downvotes.

The BBC are happy enough to pay Gary Lineker, Chris Evans and Graham Norton, a ridiculous sum of cash for what is questionable talent.

If anybody has seen Idiocracy, it should be fairly obvious why TV is the way it is

Love Island?

Big Brother?

Celebrity get me out of here?

If these programs are not the result of an ever increasingly stupid population, I dont know what it

9
0
FlamingDeath
Bronze badge
Facepalm

Fucking Crapita

Who knew

2
0
FlamingDeath
Bronze badge

Re: redirecting HTTP to HTTPS

Well, from my observation many of the university types do certainly think that once they completed their degree, that the learning is done and finished, and they can then start looking down their noses at us other self-educated types who didn't pay £9k PA for a "rarely present tutor" and are interested enough in the subject to be motivated to self-learn

I guess the overpriced degrees in university, breeds a kind of hubristic elitism

A bit like when people buy an overpriced product, and they wrongly equate high price with high quality

“The good work for all education is interest. Until there is interest there is no response"

3
0

Ever wanted to strangle Microsoft? Now Outlook, Skype 'throttle' users amid storm cloud drama

FlamingDeath
Bronze badge

Re: Ever wanted to strangle Microsoft?

Do you get paid enough though, for said misery?

9
0
FlamingDeath
Bronze badge

Probably already been said before

Office360?

7
0

Brit teen pleads guilty to Minecraft-linked bomb and airline hoaxes

FlamingDeath
Bronze badge

Muppetry

By hacking crew, you surely mean scriptkiddy crew

Not sure why Minecraft is even mentioned, except to give it a bad name by associating it with this morons antics. Feuds happen in lots of different games, sometimes resulting in Swatting. The games are not at fault, its the low IQ idiots playing it with no idea how to behave in a society, that's the problem!

Are you sure that photo was taken when he was an adult?

He looks about 12

6
1

Cybercrooks home in on infosec's weakest link – you poor gullible people

FlamingDeath
Bronze badge

But I.T is a utility, like a toilet

When companies employ IT staff, in their minds, they're employing janitors

11
0

5G can help us spy on West Midlands with AI CCTV, giggles UK.gov

FlamingDeath
Bronze badge

“is it really worth spending that many millions of pounds on 5G?”

But, but... SHINEY!!’

7
0

Fourth 'Fappening' celeb nude snap thief treated to 8 months in the clink

FlamingDeath
Bronze badge
Thumb Up

Re: Gymnophobia:

The Greek "gymnasein" (to train naked)

This is interesting, and my next visit to the gym will be too

1
0

Uni credential-swiping hack campaign linked to Iranian government

FlamingDeath
Bronze badge

Good luck trying to convince people to use 2FA, most people dont like to be inconvenienced and they get quite angry if something doesnt work in the way they demand

You only have to look at how many people pick bad passwords and recycle them across multiple websites, or increment them with number suffixes

Surey this is just technological natural selection and we should just let it run its course.

The result is, we will be left with less muppets and then it wont be such an uphill struggle and less time IT admins have to piss into the wind

Win win

1
1

Apple leaks rekindle some hope for iPhone 'supercycle' this year

FlamingDeath
Bronze badge

Smart phone

Smart

Phone

Bwaahahaha

Pull the other one

Junk phone more like it, with added crAppstore

0
5

Chap asks Facebook for data on his web activity, Facebook says no, now watchdog's on the case

FlamingDeath
Bronze badge

Evasive action

Install Noscript (Be selective of which domains you allow, if a website doesnt work without scripting enabled on the TLD you're visiting, go elsewhere)

Delete cookies upon broswser closing

Dont install Flash

There are other ways and means of tracking such as screen resolution, user-agent string, the list is quite long, but enough of these datasets creates a fairly unique fingerprint.

Just blocking Javascript and deleting cookies should be enough

I wish I could transport back to the nineties, the internet was so much better then, before it became commercial

12
1
FlamingDeath
Bronze badge
Facepalm

I set up a Pi-Hole

Which is running as root

2
1

Back to school soon – for script kiddies as well as normal kids. Hackers peddle cybercrime e-classes via Telegram

FlamingDeath
Bronze badge

Good

Well someone has to beta test these software houses untested code, it might as well be criminals if not the companies, who should show some responsibility for it

Hopefully some of their antics will deny CEO's of their grotesque salaries

Unlikely though, these sociopaths usually have golden goodbyes, unlike the fixed-term contractors who just get shafted.

1
0

Everyone screams patch ASAP – but it takes most organizations a month to update their networks

FlamingDeath
Bronze badge

Re: Patchy McPatchface

Have you tried employing more staff?

What my experience (20 years) of working in the IT industry has shown me, is that company bosses don't like to invest in staff, they would rather have their 4 holidays a year than actually run a company with a full deck, it seems the skeleton crew is the norm these days.

I despair too, because most of these organisations I have had the sad opportunity to experience, have made me facepalm endlessly to the point my forehead is bruised.

1. A Managed services company used a common password to access customer machines (password-01)

2. The Owner of the said Managed Services company didnt even know what the WEEE directive was after I told him he couldnt just throw electronics into the normal bin

3. A technology manufacturer who developed a web app to work with their devices, had a support account which would obviously be easily guessed and the password was the same as the username

4. A telecommunications company used 'folder redirection' in their domain policy, but the folder permissions were incorrectly set to Full permissions for everyone, meaning everyone in the company could read and write everyother employees desktop folders, my documents, etc. This company wanted to be ISO 27001 accreddited Bwaaahahahaha

5. I once started at a company and was handed a laptop that had not been wiped since the previous owner, I asked for an ISO from MSDN and was told there weren't any available, and that he had a disc at home, I asked if it was from MSDN, and he said he "thought so", but wasnt sure

6. Same company, was not given a deskphone, and was told to order one from Ebay and claim it on expenses!

I could go on and on and on and on and on and on, about the clusterfuck that is, IT management

5
0

Cisco smells a RAT in Breaking Security's Remcos PC wrangler

FlamingDeath
Bronze badge
IT Angle

House / Order / Much?

Cisco should have a sniff around their own firmware binaries, it seems someone in their organisation keeps adding in back doors to their router firmwares

5
0

Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug

FlamingDeath
Bronze badge

CEO bonus covered though?

I bet they outsourced their IT to some Managed Services outfit who are themselves “Managing” about 30 other companies IT systems with 3 members of staff.

But the upshot of this, is that the CEO, executives and shareholders received huge salaries / bonuses / dividends.

Business as usual...

1
1

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV

FlamingDeath
Bronze badge

The S in IoT stands for security

The Internet of Shit™ strikes again

It seems no company is afraid of distributing shit and poorly tested code to their customers, be it Belkin, Samsung, Cisco, Draytek, my list could quite possibly be endless

I bet their profits are looking great though, the CEO and shareholders enjoying huge payouts

If only they invested more in testing and security, if only...

Maybe a law is needed, am I being too preemptive here?

43
4

The future of humanity: A Bluetooth ball hitting your face – forever

FlamingDeath
Bronze badge

Google bod wants cookies to crumble and be remade into something more secure

FlamingDeath
Bronze badge

TL;DR

So I’m just gonna say, HSTS preload

0
0

Patch Tuesday heats up with pair of exploited zero-days squashed – plus 58 other vulns fixed

FlamingDeath
Bronze badge

Re: Seriously....God?

Maybe a software license is needed, I know this has been suggested before

I mean, I reckon I could have a go at driving a HGV and it will all work out ok

Should I?

(I dont have a HGV license BTW)

2
0
FlamingDeath
Bronze badge

Re: Incomprehensible

"you can't say the same for any general-purpose OS"

Ok fair points, my analogy probably isn't the best. But still the point I was trying to express is that of lives being lost due to poor cultural practices. It's become a common and normal practice to patch "bugs", lets be clear here, they are blunders and we should refer to them as such. Some of these blunders result in serious harm.

At what stage in our technological development do we stop and say enough is enough, this shit needs to be properly frameworked into a best practices and enshrined in law. Companies are profiting from their shonky untested code, and we will start seeing it costing peoples lives.

Have company executives gone to jail because of negligence?

Yes

Could we see technology company executives going to jail because of negligence.

I hope so

3
0
FlamingDeath
Bronze badge

Re: "exploited" zero-day

The term zero-day for the most part means what you think it means, unknown to anti-virus definitions for example

But there can be "in the wild" zero-day expliots, meaning they are actively being exploited, but not sufficiently protected against. They are however still zero-days, but hopefully not zero-days for long.

Hope that makes sense

4
0
FlamingDeath
Bronze badge

Re: Incomprehensible

"I suspect that over time legal interpretation might change as software finds its way into more and more products and the difference hardware and software blurs, but at the moment that is the case."

I honestly think this idea needs to speed up. Too many software houses are pushing out shit (not properly reviewed / tested) code and expecting the public / customers to simply accept this as the status quo. Would we accept this level of ineptitude in the physical world? Absoutely not!

Can you imagine it, a bridge gets built, but then needs to be closed 18 thousand times for patches

When (and some might argue this is now) poorly coded software starts affecting peoples lives, there needs to be some accountability for shonky sloppy coding, simply putting a user license agreement saying you are not responsible for jack shit is not good enough anymore

If your software needs to be patched, time and time again, and then some more, you need to take a introspectional look at your software development cycle, perhaps not enough money is being invested into the testing phase and as a company you have decided to kick that particular conundrum down the path

I should mention the Tesla (BETA) autopilot which had a disclaimer to the driver that if they enabled it they acknowleged it was still BETA and accepts the risks with no liability to Telsa.

What the actual fuck, what choice did other roads users get?

This is the kind of "we're not responsble" malarky that needs to fucking change

Honestly, when you have a government which doesnt know the difference between a hashtag and hashing, what chance do we have to have a government to properly legislate for this technological clusterfuck waiting to happen. I'm no luddite but some people need to wake up and smell the impending technological signularity, before its too late

6
6

Page:

Forums

Biting the hand that feeds IT © 1998–2018