* Posts by arsebiscuiting

2 publicly visible posts • joined 21 Jan 2011

Lulz warns NHS of sick security

arsebiscuiting
FAIL

Twitter anyone?

http://www.lmgtfy.com/?q=Alice%E2%80%99s+%E2%80%98Bucket+List%E2%80%99+

Are el reg journos blocked from twitter now?

Lush website hack 'exposes credit card details'

arsebiscuiting

Am I being thick?

I've not seen anything which says the attackers picked up passwords from a file or from the database in plain text. This attack would be easily achievable using XSS or simple insertion of code into the PHP on the server at the point the browser commits them. Said code could email to a drop box account or access a remote server to upload the card details.

Without auditing of all live files against the database, an html file could have had a remote scripting attack in it for months without being detected, especially if the site design wasn't changed.