Inspiration & Genius – One and the Same

Zappos Hacked

January 16th, 2012

From CNN Money – 24 million accounts accessed. CEO states no credit card data exposed. They state the hack gave access to part of their internal network and systems, yet the server that was hacked was based in Kentucky. I thought Zappos operated out of Nevada?

The article detracts from the fact that they were hacked, period. Regardless of whether customer data or credit card data was taken, they were vulnerable enough to be hacked. Does that give the customers a vote of confidence that they are secure?

Was that last statement a little harsh? Depends on which side of the fence you are looking. I see it as a good thing that the attackers didn’t get further, but I can’t help but think that it was a starting point. We all know it only takes one person inside the company to make us vulnerable, and that chances are it isn’t malicious, but that the vulnerability that person unwittingly creates allows the hack to occur.

Was a patching / maintenance window pushed for some reason or other? Or – were bad practices involved? We don’t know the answers, we just see the headline “Zappos Hacked”. The hackers got to the last four digits of credit card numbers – perhaps that is a staged database used for testing? Again, who knows right?

You have to wonder where the fine line is for giving out information about being hacked. Not the method, just what, when etc. Since the damage is done, how do you negate that and recover?

I’m guessing there’s a lot of work going on in Zappos right now – forensics – rebuilding – double checking. It’s sad, since they have done so well up to now. How bad is the fallout going to be? I’m keeping an eye out but my thought is they will recover, since their reputation has always been good and valued.

Tags: ,
Posted in Tech | No Comments »

BIND 9 Resolver crashes after logging an error in query.c

November 18th, 2011

Here’s a some news – CVE-2011-4313 with a CVE rating of 7.8 – BIND 9 Resolver crashes after logging an error in query.c. Here is the original post: http://www.isc.org/software/bind/advisories/cve-2011-4313.

Here’s the description:
An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.

Easy fix? Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1

Tags: , , , ,
Posted in Tech | No Comments »

Twitter and Legal Hacking

November 11th, 2011

I’ll admit I haven’t read through the whole article in the link below, but the government legally hacked someone? The fact that “legal” and “hacked” appear in the same sentence is a little concerning.

That being said, it is feasible that there are times when something like this might need to happen – National Security etc – and this was with reference to Wikileaks …but, what rights do we really have? Are liberties taken, or do we even believe that the liberties should be taken.

My thought is it can go either way, but if you are going to take away someone’s right to privacy, there had better be a darn good reason. That being said, I’ve heard talk of traffic traveling over and IP (what a concept) doesn’t belong the the person that is using the IP, therefore, can be intercepted. Really? That’s a little low don’t you think?

Soap box aside, like I said this conversation could go either way, here’s the link. See what you think about it – here, courtesy of the Guardian, UK.

Tags: , , , , ,
Posted in Tech | No Comments »

Adobe 0Day Update Tomorrow

September 20th, 2011

It appears Adobe is releasing an emergency update to Flash Player to fix a 0Day vulnerability. Announcing it tells more people about it – catch 22 perhaps?

Here’s the release from Adobe: http://blogs.adobe.com/psirt/2011/09/prenotification-security-update-for-flash-player.html

…it never ends!

UPDATE: It appears Google patched Flash for Chrome before Adobe patched their own! Interesting since those that want to know what the vulnerability is could analyze the differences between pre and post patched. Here’s the post from Larry Seltzer on PC Mag Security Watch.

Tags: , , , ,
Posted in Tech | No Comments »

2011 – Information Security Breaches

August 21st, 2011

2011 is turning out to be a bad year when it comes to the amount of ‘records’ lost through security breaches. Searching around the web for information I’ve found a lot of resources that give details, but this article from networknewz.com, posted by Joe Purcell, puts it into perspective on the first couple of paragraphs, and has links to details on the breaches. Here are some of breaches from 2011, from the post. For the entire list, with links to the details go to the source of the article here:

1.29 million Sega accounts

100 million or more Sony accounts

Potentially, the email accounts of over 2,500 companies serviced by Epsilon

360,083 bank accounts at Citigroup

280,000 accounts at Honda

1.2 million accounts at the Texas Comptroller’s office

114,000 accounts of iPad 3G owners

40 million or more RSA SecurID tokens issued by EMC to over 30,000 companies and government agencies, including half of US banks that use SecurID tokens

It’s quite scary to not only how many user accounts are compromised, but also (not mentioned in this article), how long it has taken certain entities to get their infrastructure back online. One has to assume that the issues were massive for it to have taken so long, perhaps? (supposition)

You also have to ask if these were preventable. By nature it’s almost impossible to stay one step ahead of attackers. With undisclosed vulnerabilities, let alone Zero-day vulnerabilities it is all you can do to follow the flow. Bearing in mind the human factor is a huge influence on this field, and it almost feels like herding cats while chasing your own tail.

Readiness – Red Teams – constant self assessments – audits – reaction drills – forensics – so much to be done with probably little budget, and sometimes little concern. I’ve said it a few times here, if we (security leaders) cannot convince senior leadership of the risk, should we be in that role? The variables are things like – it doesn’t matter how good you are, they still won’t listen – I guess then it’s time for a career change, if not at least a company change? Do we (you) have the balls to escalate your fears to the board? Should you?

For fear of rambling on, suffice it to say 2011 has been a bad year for breaches. Perhaps companies will notice now, that you really do need to be aware and in control of information security to stand any chance of staying secure.

Tags: , , , , ,
Posted in Tech | No Comments »

5 quick OS X Lion tips and work-arounds – REUTERS

July 27th, 2011

Here are five quick tips and work-arounds By Mark Crump at GigaOm, posted at reuters.com. I was wondering how to get ~/Library

1. Remove icons from Launchpad. Right now, the only icons you can remove from Launchpad are apps installed via the Mac App Store. If you remove the icon, the whole app is removed. In a way, this makes sense: they want to transfer the same ease-of-deletion from iOS to OS X. The problem is, if you have a ton of what Lion sees as apps — in my case, all the old World of Warcraft patches showed up in Launchpad — you’re going to have a mess. I can’t hide the apps completely, so instead I performed the digital equivalent of stuffing them in the closet. I created a single folder, moved any non-app programs into that, and stuck it on the last page in Launchpad.

2. Reveal your Home Library folder. I’m not sure why Apple hid this, but there are two ways you can get to it. The first is to go to the Finder, open the Go menu, and choose “Go to Folder.” Type in ~/Library/ and hit Enter. This will bring you to the folder. If you need to get there more than occasionally, or have an app where the hidden flag is causing problems, you can make it visible by typing in “chflags nohidden ~/Library” in the Terminal.

3. Make an app open in all spaces. This tip only works if you have multiple Desktop spaces. To add a space in Mission Control move your pointer to the upper-right hand corner and click on the large Plus icon. Then, right-click on the apps’s icon in the Dock, choose Options, and “Assign to: All spaces.” As a bonus tip, you can also create an empty space to quickly flip to an empty display if you need to.

4. Remove icons from the Sidebar. I’ve run into a few instances where dragging an icon off the Sidebar doesn’t actually remove it. If this happens, right-click the wayward icon and choose “Remove from Sidebar.” If, like me, you ended up with some Sidebar folders pointing to now nonexistent folders and can’t remove them at all, renaming the com.apple.sidebarlists.plist file in ~\Library\Preferences folder (it doesn’t matter what you rename it to) and rebooting will restore your Sidebar to default icons.

5. MobileMe Calendar syncing is now set in iCal. This one threw me at first. In Snow Leopard, you set MobileMe Calendar syncing within the MobileMe System Preferences pane. Now, it’s under iCal’s preferences under Accounts. I imagine this is because iCloud will render the MobileMe preferences pane obsolete.

Reminder: this is NOT my work – kudos goes to the author Mark Crump at GigaOm

Tags: , , , , ,
Posted in Tech | No Comments »

Dear Apple

July 27th, 2011

Dear Apple,

I’m liking the new OS X – I have to say it’s pretty slick. One question though, please can I have control of the sidebar in my finder windows? I appreciate the new look, but I don’t like that I can’t move my devices to where I can see them.

k? Thanks!

Tags: , , , ,
Posted in Tech | No Comments »

Clickjacking Attacks Unresolved

July 16th, 2011

I was reading through some Twitter posts recently and found a link to this one. It’s interesting to note what clickjacking actually is, and this article is quite revealing. The article is written by Lin-Shung Huang and Collin Jackson (Carnegie Mellon University) and is hosted on google docs here. You might have seen clickjacking through some Facebook issues recently called “likejacking”.

This article is a good read and will give you some flavor on what clickjacking is, and how it is used!

EDIT: …and here’s more information from Lenny Zeltser on the same subject – this is also a great read with some real time demo’s to watch also. It’s on his blog http://blog.zeltser.com.

Tags: , , , ,
Posted in Tech | No Comments »

PIN Pads Hacked at Michaels Stores Nationwide

May 14th, 2011

PIN Pads Hacked at Michaels Stores Nationwide

Here’s another example of hacking in plain sight. On reading this article though, you have to wonder how the terminals were hacked. These are the terminals where you swipe your debit card and enter a PIN number. In the original article there isn’t mention of how they were hacked, just that they were hacked. I’m even wondering if this was an inside job, or the POS vendor.

Suffice it to say there will always be risk, especially in public realms such as retail. Much as we say to be vigilant we can’t all be on the ball all of the time.

Tags: , , , , ,
Posted in Tech | No Comments »

Unpatched Exploit: Skype for MAC

May 6th, 2011

According to a Pure Hacking Blog Entry = http://www.purehacking.com/blogs/gordon-maddern/skype-0day-vulnerabilitiy-discovered-by-pure-hacking and The Register UK = http://www.theregister.co.uk/2011/05/06/skype_for_mac_critical_vulnerability/

There is a 0 Day exploit that exists for Skype on MAC. Windows and Linux are unaffected. Some best practices for Skype include setting your messages to only allow from Contacts. This does not protect you from infected contacts but it might help.

via Unpatched Exploit: Skype for MAC.

(these are not my words by the way – this is posted ‘as is’ from the original)

Tags: , , , ,
Posted in Tech | No Comments »

« Older Entries

Genesis Framework

Genesis Framework for WordPress

Studiopress Themes

Scribble Theme - A Beautiful Frame For Your WordPress Website

Advertisements