Posts by Frank Bitterlich 419 posts • joined 9 Nov 2007
If I were an author of espionage novels, this would give me a few plot ideas. Like that they might have identified some Apple internal service or system that carries unencrypted or easy-to-break traffic; because it is used exclusively within Apple's network, nobody bothered to fix it...
But I'll leave that to John le Carré and his colleagues.
Thought that too. Are they going to buy every batch of CCNs and SSNs now that are posted on any of these markets from now on, to "monitor" them? Or are they just waiting until any of the suppliers there are stupid enough to mention the source they got the data from? Or are they just repeatedly entering "Flagstar" into Google?
... the cameras were installed to encourage or help workers...
Isn't it nice how cameras are always used to "encourage" and "help" people, especially those who are monitored by them.
As in, "Riot police used batons on the innocent protesters to help and encourage them lying on the ground and bleed."
And how on earth is a telescreen camera which is monitoring the driver "help[ing] folks keep track of their packages"? Maybe if the van is on fire or lying upside-down in a ditch, the camera will send out an email to all customers having deliveries on that van that it will be delayed?
Hmmm. "Laptop", "[external] support engineer", "customer data"... looks like those three terms always appear together in articles which also contain the term "compromised", and "[company name] takes the security of its customers' data very seriously."
I wonder why...
If some shitty proprietary software companies are too lazy to make their programs work with it [...], that's their problem.
Nope. That's exactly the point of the article: It's the users' problem. Not everybody can or will use any given calendar SW (be it iCalendar or whatever), and if they don't cooperate well, the user will suffer.
We are indeed in stone age when it comes to PM and calendar syncing, you always have to worry whether software A works nicely with software B.
This post is best viewed with Netspace Navigator on an 640x480 screen.
Not sure what the "facepalm" is about.
The behavior of the targeted sysadmin? I see no mention in the article that (s)he actually fell for the trap.
The fact that they (the authors, apparently APT38) sent out such badly disguised attacks? Normal procdure. Send that to 1000 people (whether IT security "professionals" or not), and you will definitely get a non-zero number of people falling for it.
Not exactly a backdoor. More like a fake lock on your front door, because you can never remember to take your keys, and temporarily replacing it with a real lock when the insurance guy visits.
Looks like their software has problems doing its job when the dirver is working in a secure fashion, and they have to resolve to insecure memory allocation to work around the issues.
If you look at the forum, the issue had been marked as "Resolved" as soon as Vodafone came around with a message that a fix is in the making.
Also, I don't see the word "sorry" or "apologies" anywhere in their response. Only "... to get you all connected to what you love again". As if the fix for bricking the phones was a "feature."
What a nice, modern approach on customer service...
Alternatively they could mandate the companies provided free and more importantly with the product an adaptor. You would be amazed at how quick they would change "special" designs to avoid any extra production costs...
Well, in a way that's already happening. At least with Apple phones, you get a USB Type-A charger and a USB Type-A to Lightning cable.
So the cable is the adaptor already. I supect that with moste phones today, you get a charger like that and the matching cable (whether it has USC-C, Lightning or Micro-USB on the other end.) Forcing the phone makers to switch to an actual, additional adaptor just to make the cable "universal" would be silly in my opinion.
Economic and vanity issues aside, I've been wondering what a mandatory, unified "charger" port would mean would mean for the future. Regardless of how that actual standard would be defined (use the one which is used most today; or specify one standard explicitly), it would basically outlaw any other port type. Imagine if this had happened in 1999, then our phones would probably have had USB Type-B connectors then, and since no other standard could be sold (at least in the EU), we would probably still use that today.
Or would our phones have two connectors now, one up-to-date (USB-C or Lightning), and the other, outdated one for "legal" reasons?
It looks a bit like those trying to solve this "problem" fail to understand that the "charging" port of a modern phone is much more than that.
OK, so what's the takeaway from this finding? Is it that system-provided encryption is good enough that it is useful for the bad guys, too? Kind of obvious for me.
I don't think that any "anti-ransomware" can ever be effective by controlling if/which encryption functions are used. If you got a process running on your machine that you don't want, you're compromised. Trying to control whether that process uses specific functions/techniques is kind of missing the point. At this point, your best anti-ransomware is probably that offline backup that you made last week.
Probably around the same time as this tale occurred, a friend of mine got a copy of ResEdit into his paws and was thrilled to find out that you could alter all kinds of menus and alerts both in applications and the OS on the Macs of the newspaper he worked for. So the most logical thing was to spend multiple hours to work through all resource forks he could find and replace the work "file" with "cookie", and "folder" with "bone."
At that time, data between the machines was mostly exchanged by floppy (well, rather "stiffy") disks. I still don't know how it happened, but soon after, the madness spread to other machines, more and more eventually asking stuff like "Are you sure you want to copy this cookie into this bone?" Took a lot of effort to clean that up, but it was really funny. Especially seeing him try to explain that to the boss...
If the stuff is really IP-based, it's probably the app developrs who take up the support, not Apple in its role as OS vendor. If they don't support it, it won't be deeply integrated in iOS (read: Siri etc.), but it should be trivial for third-party apps to support and maybe integrate it.
Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor.
Slight correction: "... it is important to replace D-Link on your list of suppliers with a company that actually takes security seriously."
It's not exactly news that with most "class action" settlelemnts, the people actually harmed get little or no recompensastion at all.
But this is taking the whole thing to a new level: The FTC allows the defendant to install arbitrary hurdles for any claimant, including bullying those who have suffered damage by that firm to buy even more of their services.
"Nice credit rating you have, there. Would be a shame if something happened to it..."
Effectively, a US federal agency is siding with the perpetrator, to keep the financial damage (to Equifax) as small as possible.
That level of corruption is amazing, even when you take the current government into account.
"MoviePass leaked tens of thousands of customer account details, including payment cards numbers and mistyped passwords, via a poorly secured public-facing database [...]. The system has since been secured."
I don't think they have secured their systems. They may have closed the public-access hole, but if they indeed store mistyped passwords, that's just one step less horrible than storing unhashed actual passwords. Unless they hire someone with actual security skills, "securing" their system is a hopeless endeavour.
You mentioned that you're using 1Password for your passwords. Honest question, what is your motivation for using this vs. the built-in Keychain Access app? I've seen a few people using 1Password so far, but none of them could explain to me why they chose it over the built-in solution.
In any case, I would keep the laptop associated with your Apple ID. If you remove it, you lose the chance of finding it through Find my Mac should it ever connect to the net before it is being wiped.
As I understand this, somebody (Monaco Telecom? Or is it just hosted with them?) has allegedly created a clone of this guy's website, pilfered the images, added some SEO, and Google is indexing (and showing search results for) that cloned website. So Google cached the (allegedly stolen) images from the clone.
So suing Google for this is a bit far-fetched IMHO... either he is going for the low-hanging fruit (why isn't he suing Bing?), or he doesn't understand how search engines work. So much for "Azure Consultant"...
A long time ago a coworker managed to put a DAT cartridge backwards into the tape drive of our RS/6000 system (don't ask me how. But it wouldn't come out again.) Since these drives were painfully expensive at the time (although being just regular DAT drives, but apparently with custom firmware) I didn't dare the old "yank, then yank a little harder" technique and had to disassemble the drive. Took me hours, but saved us a four-digit amount and got me a case of beer from said coworker :)
Plus, it gave me an opportunity to remove the solid block of dust that occupied all the free space inside the RS/6000 – at first I thought it was some kind of insulation. A miracle that the machine had not overheated (or spontaneously combusted.)
"What isn't being said is why he got flagged in the first place."
No. Because nobody but the CBP agents know. But what they grilled him about is probably a clue.
Ask Jacob Appelbaum about this. He has a few stories like this one to tell.
"I used to do a bit of globe trotting and never got flagged."
Congrats. And that means... what? That it's probably his own fault?
/shakes head
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022
