If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Raw Story)   Blogger invites white hat hacker to test the security of his confidential information, finds that it is about as secure as a cardboard box with a padlock   (rawstory.com) divider line 37
    More: Scary, cardboard boxes, hackers, New York University  
•       •       •

6096 clicks; posted to Geek » on 27 Oct 2013 at 2:00 PM (36 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



37 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2013-10-27 12:23:30 PM
FTFA:  It's my first class of the semester at New York University. I'm discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I...

I what?  DON'T LEAVE US HANGING, MAN!!!
 
2013-10-27 02:10:30 PM

xanadian: FTFA:  It's my first class of the semester at New York University. I'm discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I...

I what?  DON'T LEAVE US HANGING, MAN!!!


He must have died while typing it.
 
2013-10-27 02:13:16 PM
Link to the actual article.  Good read, by the way.
 
2013-10-27 02:23:35 PM
Link worked fine for me. Maybe they fixed it or it is a browser issue.

Good article on how easy it is for people to get your private information.
 
2013-10-27 02:26:14 PM
tl;dr:

Don't plug in found USB drives and don't open files with .ZIP or .JAR extension send by people you do not know, and/or which you do not expect.
 
2013-10-27 02:27:28 PM

DerAppie: tl;dr:

Don't plug in found USB drives and don't open files with .ZIP or .JAR extension send by people you do not know, and/or which you do not expect.


Not even close.
 
2013-10-27 02:34:38 PM

DerAppie: tl;dr:

Don't plug in found USB drives and don't open files with .ZIP or .JAR extension send by people you do not know, and/or which you do not expect.


You missed one:

i293.photobucket.com
 
2013-10-27 02:54:03 PM

qorkfiend: DerAppie: tl;dr:

Don't plug in found USB drives and don't open files with .ZIP or .JAR extension send by people you do not know, and/or which you do not expect.

Not even close.


Considering that the attack vector that got them in was someone opening an e-mail attachment I'd say it was. They would have gotten in sooner if the person plugging in the USB drive didn't get stymied by an out of date OS.
 
2013-10-27 03:02:22 PM
"Comp-sec," as it's called - short for computer security -

Nobody calls it that, dude.

I signed a waiver (courtesy of Trustwave's lawyers) that barred me from suing the company if my information ended up in the wrong hands.


Oh jesus.

And then they physically broke into his house. That's not hacking, that's black-bagging. If you can break into someone's home/office without getting arrested, you don't need to hack.
 
2013-10-27 03:04:40 PM
Actually, I think the point of the article was that the author's wife was the weak link.  It was her studio they tried to use to get to him, her laptop they installed the malware on, and her consistent porting of old hard drive data that gave them all they needed.

So really the lesson is, he shouldn't trust his wife.
 
2013-10-27 03:04:43 PM

HotWingAgenda: And then they tried to physically break into his house. That's not hacking, that's black-bagging. If you can break into someone's home/office without getting arrested, you don't need to hack.


FTFM
 
2013-10-27 03:25:19 PM
It sounds like the hacking was much more a pain in the ass than I would have expected, even though they managed physical access to his wife's computer at least once and took two successful (the target opens the file) phishing attacks after a multi week effort by three (?) teams.
 
2013-10-27 03:28:01 PM

King Something: xanadian: FTFA:  It's my first class of the semester at New York University. I'm discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I...

I what?  DON'T LEAVE US HANGING, MAN!!!

He must have died while typing it.



Look, if he was dying, he wouldn't bother to type 'I...'. He'd just say it!
 
2013-10-27 03:29:20 PM
How to implement perfect cyber security.

1. Buy a computer without any O/S installed
2. Leave it in the box

When you have governments purposely weakening encryption standards and releasing "Nation-State" level nefarious code into the wild (Struxnet) for criminals to analyze and copy, functional cyber security is a laughable concept.
 
2013-10-27 03:40:39 PM
I'm actually faintly reassured by how much physical effort this required. And they didn't get much more than he PI got 14 years ago, using old fashioned detective work.
 
2013-10-27 03:45:25 PM
My plan is that anyone managing to hack into my PC will be so distracted by the vast amount and huge variety of porn I have so that they will forget all about finding out my bank accounts or social security.
 
2013-10-27 03:47:49 PM

gwowen: I'm actually faintly reassured by how much physical effort this required. And they didn't get much more than he PI got 14 years ago, using old fashioned detective work.


True. But after reading it all they almost could have done all they did by just sending that email with the attachment to his wife. They more or less could have done all they did in ten minutes. Almost none of the physical snooping, visits, undercover missions and dropped USB sticks achieved anything.
 
2013-10-27 03:56:47 PM

gwowen: I'm actually faintly reassured by how much physical effort this required. And they didn't get much more than he PI got 14 years ago, using old fashioned detective work.


The physical effort was just trying different things. And, from their plan, looks like just trying other things before doing what they knew would work.

In the end, all it took was three emails and a zip file before they could've been destroyed.
 
2013-10-27 04:02:29 PM

King Something: xanadian: FTFA:  It's my first class of the semester at New York University. I'm discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I...

I what?  DON'T LEAVE US HANGING, MAN!!!

He must have died while typing it.


If he died he would have typed "arrrggghhh".
 
2013-10-27 04:08:59 PM

DerAppie: tl;dr:

Don't plug in found USB drives and don't open files with .ZIP or .JAR extension send by people you do not know, and/or which you do not expect.


I don't open them period.  Mail it to me on a disk.
 
2013-10-27 04:10:33 PM
Didn't Trustwave get in to a bit of trouble handing out root CAs to their clients for the purpose of reading employee's email, work releted and private?
 
2013-10-27 04:21:38 PM

gwowen: I'm actually faintly reassured by how much physical effort this required. And they didn't get much more than he PI got 14 years ago, using old fashioned detective work.


Yeah, the target prole didn't have the good manners to be running Windows and using WiFi with WEP encryption & WPS enabled, and nobody at his wife's work would plug in the random USB drive - and I'll guarantee that that vector required running Windows with autorun enabled.
 
2013-10-27 04:22:57 PM
Ask Randall Schwartz why the contract of understanding for the pen test is essential.
 
2013-10-27 04:41:54 PM

NotARocketScientist: Link worked fine for me. Maybe they fixed it or it is a browser issue.

Good article on how easy it is for people to get your private information.


I know... I have one question though...
What is up with that hat you are wearing last new years eve and who is that hot blonde chick in the picture with the the 3 of you?
 
2013-10-27 06:40:37 PM
I do the exact opposite.  I let anybody in and out of my server and wifi and let anybody install what ever.  Fresh start from a secondary driver every morning.  Try finding my snowflakes in that blizzard.
 
2013-10-27 06:43:34 PM

Flint Ironstag: My plan is that anyone managing to hack into my PC will be so distracted by the vast amount and huge variety of porn I have so that they will forget all about finding out my bank accounts or social security.


I'd used that method a well and just did everything I could to put it everywhere, even the screen saver.  Worked perfectly until I went on vacation and a co-worker tried to use my desktop.
 
2013-10-27 06:59:25 PM
 "Licensed Investigators for Accurate Results" reads the tag line, calling itself "America's premier provider of on-line investigative solutions."

media.tumblr.com
 
2013-10-27 07:10:36 PM
FTFA:  I read the email but didn't open the attachment because it was a file type I didn't recognize. I remember thinking why would a high school student send me an attachment with a JAR suffix?

See, the people where I work, they'd see a .jar or .zip, and be all like 'ZOMG I KNOW THE SYSADMIN SAID DON'T OPEN THESE, BUT OMG I GOTTA SEE WHAT IT IS LOLOLOLOL'
 
2013-10-27 09:23:20 PM
castle of anaaahhhhh.....
 
2013-10-27 11:43:45 PM

Dr. Whoof: So really the lesson is, he shouldn't trust his wife.


That's a lesson I learned the hard way. Never again my friend, never again.

/she's now my ex-wife
 
2013-10-28 01:02:52 AM
I'm probably outing myself as a total noob for asking this...

but what's fundamentally wrong with opening a .jar or .zip or .rar or .xxx compressed file?

Of course in an email attachment I'd never touch any file unless I knew the sender and was expecting something.

But even if I were dumb enough to do so wouldn't I have to open an .exe .or .bat or another compromised file type like .doc inside the archive to have code executed on my machine?

I know opening an archive file copies its contents to my hard drive, but I didn't think they could contain auto-executing code.

The author and his wife use Macs and I'm a Windows guy, so maybe that's where the vulnerability lies
 
2013-10-28 03:55:07 AM

troggy: I'm probably outing myself as a total noob for asking this...

but what's fundamentally wrong with opening a .jar or .zip or .rar or .xxx compressed file?


The zip file exploit counts on the fact that the file explorers in windows and on the Mac will kick off auto exec scripts in the resulting folder when the user views it. Ditto with RAR. JAR files are specially formatted zip files, so most decoders will unpack them as such.
 
2013-10-28 05:20:31 AM

Evil Twin Skippy: troggy: I'm probably outing myself as a total noob for asking this...

but what's fundamentally wrong with opening a .jar or .zip or .rar or .xxx compressed file?

The zip file exploit counts on the fact that the file explorers in windows and on the Mac will kick off auto exec scripts in the resulting folder when the user views it. Ditto with RAR. JAR files are specially formatted zip files, so most decoders will unpack them as such.


Even if you right click and open with 7zip or something similar, or "extract here"?
 
2013-10-28 05:39:03 AM

HotWingAgenda: "Comp-sec," as it's called - short for computer security -

Nobody calls it that, dude.


Seriously. Sounds like bad '80s or '90s D-grade sci-fi "cool" talk.
 
2013-10-28 09:56:44 AM

taurusowner: King Something: xanadian: FTFA:  It's my first class of the semester at New York University. I'm discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I...

I what?  DON'T LEAVE US HANGING, MAN!!!

He must have died while typing it.


Look, if he was dying, he wouldn't bother to type 'I...'. He'd just say it!


Maybe he was dictating?
 
2013-10-28 11:28:26 AM
See this is why I run Linux (Mint) on my laptop. I can gleefully plug in any usb drives and click any attachments without worry.  What's more, even if they do target me specifically with a Linux exploit they'll never get anything back due to the SHIATTY WIFI DRIVERS (Intel wtf?!) refusing to maintain a stable connection for more than 0.3 @#$%^ seconds.

//Dear hackers: If you steal all my stuff please remember to submit the wifi patch when you're done. kthnx
 
2013-10-28 01:07:40 PM

SquishyLizard: See this is why I run Linux (Mint) on my laptop. I can gleefully plug in any usb drives and click any attachments without worry.  What's more, even if they do target me specifically with a Linux exploit they'll never get anything back due to the SHIATTY WIFI DRIVERS (Intel wtf?!) refusing to maintain a stable connection for more than 0.3 @#$%^ seconds.

//Dear hackers: If you steal all my stuff please remember to submit the wifi patch when you're done. kthnx


So you're saying you use Linux because nothing works properly on it?  Sounds like a great plan... :P
 
Displayed 37 of 37 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report