The content of the email was published - it had full details of the issue and exactly how it needs to be fixed, with no demands for payment or use of their services. There was also no "hacking" involved. Basically the company got a free warning of a serious vulnerability.
17 posts • joined 3 Feb 2014
Schools email marketing company told us to go away when we told them of exposed database creds, say infoseccers
Their 'next job could be in cyber': UK Cyber Security Council launches itself by pointing world+dog to domain it doesn't own
Re: Cool, but why?
The education aspect was a key part of the plan as a hook to get public funding and support.
The team would have done it purely for the challenge anyway (like climbing a mountain, "it was there") but they clearly enjoy that it's helping encourage children into STEM education, and pushing schools into teaching younger children at a more advanced level than before.
Re: It will retail for just $35,000
I had a brand new Leaf and the insurance was about £320 - so for me about £100 more than a worthless shed. I think at the moment electric car drivers are likely to be a much better risk than the general population so it offsets any increased repair costs, obviously a mass market car will produce different statistics eventually. It's also possible that they aren't subject to certain types of damage, eg. a front-end impact might run critical parts of a petrol engine but the motor in an electric car might survive. Likewise I have waded my Leaf in flood waters I probably wouldn't have risked a petrol car (and in retrospect, probably wouldn't have taken it again, but there you go).
I'm not surprised that employees do moderation on their personal accounts. I know a few people who work there and I recall that they often do testing/dev using their personal accounts even though there is an "internal Facebook" for that, and sandbox/test accounts available.
Another interesting thing - to visit their offices you have to sign into your Facebook account to get a pass.
By the looks of it, the 8528 is a very high end labatory glassware cleaner and disinfector with many programmes and reporting facilities, so it's not surprising it might have a fully featured controller (heck, some hospital beds have touchscreen TFT controllers!)
However, you'd expect software updates for your £tens of thousands dishwasher.
The problem is that I'm sure Google is ranking their site on each page's merits, and it looks they are auto-generating millions of pages for each postcode and street name. Each of those would be ranked fairly badly since the page content is almost identical (even if the map tiles are parsed). Obviously Google is detecting place name searches and plugging automatic links straight into Maps.
One other interesting thing - their robots.txt has some curious entries. It looks like when people make a complaint about their personal data somehow being included in page data, the admins put the URL into the robots.txt file rather than an on-page meta noindex.
Re: Ancient coin counter
Glad it's not just me who was boggled at how the coin machine needs the customer to type in the account details but the notes machine has a card reader! Still it's better than most other banks which have no way to pay in coins other than going to a cashier (and possibly needing to bag them up).
I wonder how the brakes feel on this - I have a Leaf and there is a B mode (and Eco which is similar) where the regenerative effect is increased, and the brakes take less effort to engage. The unnerving part is that when the battery is full charged there is NO regen (because there is nowhere to 'put it') and the brakes need a greater effort. It's one thing to wake you up in the morning when you forget!
edit: Oh yes, I'll add to the chorus of comments that the design is pretty poor. I know they are constrained with having to use pre-made lighting components and maximising aerodynamics but jeez....
I managed to pick up one of these in the "20,000 invite warm-up" thing after randomly spotting it on Twitter, and it is a nice bit of kit really, nicely made for the money, and Cyanogen is an excellent version of Android of course.
One *major* problem - they shipped it with a Shucko-type charger and one of the nasty-cheap UK adapters that you (or a child) can do all sorts of dangerous things with:
I have a bPay band, it works fine and it's a neat idea with a few flaws at present:
- All your purchases are batched under a single top-up on your bank account, you need to review the bPay account to see what was bought
- The card is quite small (a bit larger than a mini-SIM) but it's inserted into a thick pocket in the wristband and the overall 'bulge' is HUGE and uncomfortable.
- Because it's "one size" the wristband is fastened by pressing a very flimsy plastic clip into holes, this takes AGES and doesn't seem safe at all. It's far too thick to stretch over your hand and I'm sure the clip would break very quickly.
- You can't go out with just the wristband because obviously not everybody accepts contactless, and it can fail.
Re: Saturday evening...
This is what I saw at around 16:48:
It reverted to a cPanel default page fairly quickly, and then the DNS entries were dropped from the "dnforu" servers.
This was the Nominet whois at the same time, clearly showing the rogue DNS servers:
It was like that for at least an hour and a half, a crazy slow response. I assume they were locked out of the Markmonitor systems!
"a very small subset of people visiting a few marketing web pages of PayPal France, UK"
A FEW marketing pages? The FRONT PAGE, ie. ebay.co.uk was hijacked for two hours, and visitors' cookies would have been spewing to the rogue server. I didn't check PayPal at the time (I was an affected user) but I assume it was the same.
They changed the DNS servers to a couple of random ones. If the attacker had been more malevolent they could have put a fake login form on and had a field day.
An interesting problem is that when whoever owned the server that was hosting the hijack page discovered the problem they disabled the account, which 301 redirected to a "site suspended" page. On many browsers a 301 is cached for a very long time, so when the affected people visit ebay.co.uk they will be redirected to something like www.ebay.co.uk/cgi-bin/suspended.cgi (which 404s) until they clear their cache.