LinkedIn password hashes dumped

[rainwulf]

Quote:

Originally Posted by mrpats

ummm...I don't think comparing Stuxnet with CloudFlare is fair.

CloudFlare was a series of flaws exploited using some social engineering and some clever thinking. It's purpose : Hacktivism.

Stuxnet had a series of 0-day exploits, jumped an air gap, propagated itself to find a particular program to allow it to screw up a uranium enrichment program.

You'd be forgiven, if as either the target or maker of Stuxnet, you weren't very forthcoming with a press release about how it compromised the target network.

That and it goes to show dont use windows.

[Daemon]

Quote:

Originally Posted by mrpats

ummm...I don't think comparing Stuxnet with CloudFlare is fair.

Not sure what you mean sorry, I only compared Stuxnet and CloudFlare in regards to the transparency and it was a tongue-in-cheek comparison

Stuxnet and Flame are quite advanced systems (especially Flame) and it's probably just the tip of the iceberg. I wonder how many infected systems there are with other exploits, considering it took years to discover Flame.

[HumbleBum]

My linked in password is my level 6 password which is for all things I dont really care about, that cannot get me into trouble if found. Its also the easiest.

[elvis]

Quote:

Originally Posted by IACSecurity

I'm not at all amazed.

I'm with this guy. It's not at all amazing - so few companies give enough of a shit about security.

What I am actually truly amazed at is that this sort of thing doesn't happen with greater frequency, given how utterly appalling corporate security is.

[Mitch01]

Quote:

Originally Posted by IACSecurity

I'm not at all amazed. Almost every company has a 'critical flaw', and tbh most dont, and don't want to know about them.

Its a fucker, but what are you going to do about it.

Kinda on topic, and I'm interested to hear your thoughts on this given you know your stuff when it comes to IT Security..

But ... how safe do you see Cloud Storage providers given it's the new *buzzword* in IT?

Do you see them becomming a bigger target for hackers because there's big money in potentially holding clients data for ransom?

Keen to hear your thoughts on this.

[elvis]

Quote:

Originally Posted by Mitch01

Do you see them becomming a bigger target for hackers because there's big money in potentially holding clients data for ransom?

Understanding how "hackers" work answers part of this question.

99% of attacks these days are automated. You sometimes hear about targeted attacks, but these are the minority. Hacking is a game of opportunity. The interesting sites aren't generally the ones that are hacked, but it's the insecure ones. Much like your average thief doesn't target the "interesting" house, but the one where the door isn't locked and there's no dog in the house.

Anything with a public IP address is going to get scanned all day long for vulnerabilities. As more and more people move things into "the cloud", that gives folks who attack these things for laughs and/or profit a broader profile to scan, and ultimately attack once vulnerabilities are found.

So to answer your question in a round about way, yes these will be a bigger target for hackers by virtue of the fact that it's on all on a publicly accessible network.

[millsy_c]

Probably worth mentioning that last.fm was done too

[elvis]

Quote:

Originally Posted by IACSecurity

Most sites have their 'security comment' and its 'we use SSL, 128-bit, like the banks'.

And tragically, that's enough to convince most executives that it's "secure enough" so that they'll sign a contract without talking to their technical/security people.

[Daemon]

Quote:

Originally Posted by IACSecurity

Most sites have their 'security comment' and its 'we use SSL, 128-bit, like the banks'. Its pretty humerus/sad.

I've seen this with a number of custom written e-commerce systems, you ask about security and they point out that they use an SSL when taking a payment. You then ask about what PCI-DSS compliance they have and you get a funny look. Even worse when you quiz them further and find CC details stored in the database in plain text.

As elvis points out though, the best way to prevent your system from being hacked is to ensure it's not an easy target. Only allow through the firewall what's absolutely necessary, ensure all your software is kept updated and don't store passwords in emails / word docs / plain text. There is an increasing trend of hackers using malware infested machines to scan your emails / docs looking for login (eg SSH / FTP etc) details. It's very easy to compromise a server if you have full access to it

[millsy_c]

Currently doing a somewhat high level analysis of a financial services provider so will be interesting to see what we come across

[f3n1x]

Quote:

Originally Posted by Daemon

I've seen this with a number of custom written e-commerce systems, you ask about security and they point out that they use an SSL when taking a payment. You then ask about what PCI-DSS compliance they have and you get a funny look. Even worse when you quiz them further and find CC details stored in the database in plain text.

As elvis points out though, the best way to prevent your system from being hacked is to ensure it's not an easy target. Only allow through the firewall what's absolutely necessary, ensure all your software is kept updated and don't store passwords in emails / word docs / plain text. There is an increasing trend of hackers using malware infested machines to scan your emails / docs looking for login (eg SSH / FTP etc) details. It's very easy to compromise a server if you have full access to it

Probably good idea to just not let them get on your machine in the first place.

[millsy_c]

Quote:

Originally Posted by f3n1x

Probably good idea to just not let them get on your machine in the first place.

I think designing a system assuming it's bulletproof is an insanely bad idea, just throwing it out there

[Daemon]

Quote:

Originally Posted by f3n1x

Probably good idea to just not let them get on your machine in the first place.

I probably didn't word the post well enough sorry, what I meant is that instead of hackers targeting the servers they're targeting the client machines (ie the weakest point). With a lot of smaller businesses or home machines there isn't always the same level of protection or no protection at all.

I've had to analyse some "hacked" servers over the last few months and a number of them had just one FTP/SSH login attempt (ie not brute force) with no other attacks logged. In nearly all of these cases running anti-virus / anti-malware software on the client's end workstations has found a trojan or similar capable of data logging or remote access, so this is how they have retrieved the password.

[millsy_c]

Yeah that's exactly it, the number of issues I've come across today an internal attack could exploit is phenomenal

[millsy_c]

Quote:

Originally Posted by millsy_c

Currently doing a somewhat high level analysis of a financial services provider so will be interesting to see what we come across

Oh god what am I looking at