Loading ...
Sorry, an error occurred while loading the content.

Re: phishing and wifi hotspots..

Expand Messages
  • mwinslo5@optonline.net
    Haha.. just thinking back... around 85 or so... I was involved with the first coast to coast X.25 ATM transaction.. A certain person there whom I d never
    Message 1 of 11 , Nov 22, 2012
    • 0 Attachment
      Haha.. just thinking back... around '85 or so... I was involved with the first coast to coast X.25 ATM transaction.. A certain person there whom I'd never seen before, introduced them self as the head of security.. The Die-bold guy and I were there. We smiled at each other.. I said watch this.. hooked up a 2k$ box to the RS232 connector, and we took a supposedly secure ATM card with a real PIN, and had it dispense some test money (eg not real cash) for us in the lab - using an incorrect PIN#.. I find that when people think that they are secure, they are the most vulnerable, and that security systems shouldn't be reviewed by the designer, but in conjunction with an 'outsider' who can think outside of the box. the same way that a hacker would. You plug more holes that way.. I'm pretty damn good at breaking things which are thought to be unbreakable... it started when I was very young.. few of my toys survived long, because I tended to tear them apart to see how they worked.. I can share this story, as so many years have passed, and none of those companies are in business any longer.. Same bank.. As I was walking out with the VP, I had a back-up tape in my brief case.. Since I was with a VP who had a "don't mess with me" reputation.. When the security guard asked "what's this?" I said "don't worry, it's mine. It's just a back-up tape". He waived me through.. Later I told the VP what had just happened, and asked him why he even bothered with exit security when they didn't even know when the right time to do his job was.. BTW the back-up tape was for the Honeywell OS on the network controller, and had no sensitive information on it.. That part is called "social engineering". It's still quite effective in certain cases.. so many stories.. so little time.. but they all center around the concept of the illusion of security.. It evolves constantly.. As it should..


      --- In cablevision_digital@yahoogroups.com, mwinslo5@... wrote:
      >
      >
      >
      >
      >
      > What you say is for the most part true, but a crack becomes aa hole.
      >
      > Does an email account require SSL login in all cases, and do people tend to not know that or what that means? do most people use strong passwords? remember - an email client differs from webmail. So, can you consider this? Also, consider the recent NBC report from a couple days ago.
      >
      > Are all web browsers alike? do each of them have both known and unknown zero-day exploits?. You're not dealing with a newbie on this issue.. more of an old white-hat with assembly language knowledge, and how forcing a stack exception can allow administrative access in some OS's which allow for further exploitation.. The internet is a dangerous place, and certain people with nefarious inclinations are constantly creative.. Back in 2000, certain people were highly aware of how a DNS hijack can lead to a man in the middle further exploitation... exploits like back-orifice, which is rather dated can still be discovered.. My firewall log shows continuous probing.. Originally I posted on this issue, as a replacement phone which was unwipeable by myself through normal methods was returned to assurion assuming that they would follow proper procedure. Months later, problems appeared.. I think that we should be more paranoid, than naive in this regard. This is why I addressed this to Wilt's attention.. So there are certain things which will not be discussed except under appropriate privacy situations, and not in a public forum.. I think we are only seeing the tip of the iceberg sailing the Titanic on the internet.. not a good time to arrange desk chairs.
      >
      >
      > --- In cablevision_digital@yahoogroups.com, "marcauslander" <marcausl@> wrote:
      > >
      > > I'm confused by what exposure you are warning us about.
      > >
      > > The autologin supported by CableWiFi, AFAIK, only gets your machine on the internet. So a bad guy could clone your MAC to get on CableWiFi. Or he could go into any Starbucks, or library, or ... and get on the internet.
      > >
      > > Once on the internet, you still need to do a real login to get at your Cablevision stuff, or your Google stuff, etc. And those that matter use https.
      > >
      > > So again - what exactly is the threat?
      > >
      > > --- In cablevision_digital@yahoogroups.com, mwinslo5@ wrote:
      > > >
      > > > I just discovered one of these with my sister via Comcast...bad guy takes rooted device, or Linux or unix box...collects list of valid mac addresses, email addresses and passwords, then uses these for phishing. Since many people use both weak passwords which are common across accounts, it's a hackers playground out there. The phishers don't necessarily change or hijack the email account, but use it for hit and run attacks.
      > > >
      > > > Just a FYI - I thought that one of my ex-ixia co-workers was just messing with me after my original report...I'm guessing that he has one of these real time phishers in one of his accounts as well.
      > > >
      > > > MAC address device validation is way too primitive in this day and age, and if the MSO's don't start giving us digital tokens, and some stronger security, the 4G guys are going to end your party pretty quickly since they at least can exchange a higher level of validation via SSL.
      > > >
      > > > This auto-sign in, while convenient, needs to disappear in a hurry from the MSO's before we suddenly find that someone like a non-US sovereign has made this into a practice and becomes sleeper resource in order to attack the US infrastructure. Smartphones and tablets contain more information than wallets that a pick-pocket take. There are too many tools out there which phishers can silently hijack MSO email accounts with significant ease.
      > > >
      > > > Aren't your security guys aware of this? This is serious stuff.
      > > >
      > >
      >
    • marcauslander
      You are describing the risks of being on ANY public, unencrypted, network. This has nothing to do with CV authenticating by MAC address. Yes - the naive would
      Message 2 of 11 , Nov 23, 2012
      • 0 Attachment
        You are describing the risks of being on ANY public, unencrypted, network. This has nothing to do with CV authenticating by MAC address.

        Yes - the naive would be safer if all public networks were encrypted but that's not going to happen - the key management is just not practical.

        --- In cablevision_digital@yahoogroups.com, mwinslo5@... wrote:
        >
        >
        >
        >
        >
        > What you say is for the most part true, but a crack becomes aa hole.
        >
        > Does an email account require SSL login in all cases, and do people tend to not know that or what that means? do most people use strong passwords? remember - an email client differs from webmail. So, can you consider this? Also, consider the recent NBC report from a couple days ago.
        >
        > Are all web browsers alike? do each of them have both known and unknown zero-day exploits?. You're not dealing with a newbie on this issue.. more of an old white-hat with assembly language knowledge, and how forcing a stack exception can allow administrative access in some OS's which allow for further exploitation.. The internet is a dangerous place, and certain people with nefarious inclinations are constantly creative.. Back in 2000, certain people were highly aware of how a DNS hijack can lead to a man in the middle further exploitation... exploits like back-orifice, which is rather dated can still be discovered.. My firewall log shows continuous probing.. Originally I posted on this issue, as a replacement phone which was unwipeable by myself through normal methods was returned to assurion assuming that they would follow proper procedure. Months later, problems appeared.. I think that we should be more paranoid, than naive in this regard. This is why I addressed this to Wilt's attention.. So there are certain things which will not be discussed except under appropriate privacy situations, and not in a public forum.. I think we are only seeing the tip of the iceberg sailing the Titanic on the internet.. not a good time to arrange desk chairs.
        >
        >
        > --- In cablevision_digital@yahoogroups.com, "marcauslander" <marcausl@> wrote:
        > >
        > > I'm confused by what exposure you are warning us about.
        > >
        > > The autologin supported by CableWiFi, AFAIK, only gets your machine on the internet. So a bad guy could clone your MAC to get on CableWiFi. Or he could go into any Starbucks, or library, or ... and get on the internet.
        > >
        > > Once on the internet, you still need to do a real login to get at your Cablevision stuff, or your Google stuff, etc. And those that matter use https.
        > >
        > > So again - what exactly is the threat?
        > >
        > > --- In cablevision_digital@yahoogroups.com, mwinslo5@ wrote:
        > > >
        > > > I just discovered one of these with my sister via Comcast...bad guy takes rooted device, or Linux or unix box...collects list of valid mac addresses, email addresses and passwords, then uses these for phishing. Since many people use both weak passwords which are common across accounts, it's a hackers playground out there. The phishers don't necessarily change or hijack the email account, but use it for hit and run attacks.
        > > >
        > > > Just a FYI - I thought that one of my ex-ixia co-workers was just messing with me after my original report...I'm guessing that he has one of these real time phishers in one of his accounts as well.
        > > >
        > > > MAC address device validation is way too primitive in this day and age, and if the MSO's don't start giving us digital tokens, and some stronger security, the 4G guys are going to end your party pretty quickly since they at least can exchange a higher level of validation via SSL.
        > > >
        > > > This auto-sign in, while convenient, needs to disappear in a hurry from the MSO's before we suddenly find that someone like a non-US sovereign has made this into a practice and becomes sleeper resource in order to attack the US infrastructure. Smartphones and tablets contain more information than wallets that a pick-pocket take. There are too many tools out there which phishers can silently hijack MSO email accounts with significant ease.
        > > >
        > > > Aren't your security guys aware of this? This is serious stuff.
        > > >
        > >
        >
      • mwinslo5@optonline.net
        PM me if you wish to speak further. yes and no..
        Message 3 of 11 , Nov 23, 2012
        • 0 Attachment
          PM me if you wish to speak further. yes and no..

          --- In cablevision_digital@yahoogroups.com, "marcauslander" <marcausl@...> wrote:
          >
          > You are describing the risks of being on ANY public, unencrypted, network. This has nothing to do with CV authenticating by MAC address.
          >
          > Yes - the naive would be safer if all public networks were encrypted but that's not going to happen - the key management is just not practical.
          >
          > --- In cablevision_digital@yahoogroups.com, mwinslo5@ wrote:
          > >
          > >
          > >
          > >
          > >
          > > What you say is for the most part true, but a crack becomes aa hole.
          > >
          > > Does an email account require SSL login in all cases, and do people tend to not know that or what that means? do most people use strong passwords? remember - an email client differs from webmail. So, can you consider this? Also, consider the recent NBC report from a couple days ago.
          > >
          > > Are all web browsers alike? do each of them have both known and unknown zero-day exploits?. You're not dealing with a newbie on this issue.. more of an old white-hat with assembly language knowledge, and how forcing a stack exception can allow administrative access in some OS's which allow for further exploitation.. The internet is a dangerous place, and certain people with nefarious inclinations are constantly creative.. Back in 2000, certain people were highly aware of how a DNS hijack can lead to a man in the middle further exploitation... exploits like back-orifice, which is rather dated can still be discovered.. My firewall log shows continuous probing.. Originally I posted on this issue, as a replacement phone which was unwipeable by myself through normal methods was returned to assurion assuming that they would follow proper procedure. Months later, problems appeared.. I think that we should be more paranoid, than naive in this regard. This is why I addressed this to Wilt's attention.. So there are certain things which will not be discussed except under appropriate privacy situations, and not in a public forum.. I think we are only seeing the tip of the iceberg sailing the Titanic on the internet.. not a good time to arrange desk chairs.
          > >
          > >
          > > --- In cablevision_digital@yahoogroups.com, "marcauslander" <marcausl@> wrote:
          > > >
          > > > I'm confused by what exposure you are warning us about.
          > > >
          > > > The autologin supported by CableWiFi, AFAIK, only gets your machine on the internet. So a bad guy could clone your MAC to get on CableWiFi. Or he could go into any Starbucks, or library, or ... and get on the internet.
          > > >
          > > > Once on the internet, you still need to do a real login to get at your Cablevision stuff, or your Google stuff, etc. And those that matter use https.
          > > >
          > > > So again - what exactly is the threat?
          > > >
          > > > --- In cablevision_digital@yahoogroups.com, mwinslo5@ wrote:
          > > > >
          > > > > I just discovered one of these with my sister via Comcast...bad guy takes rooted device, or Linux or unix box...collects list of valid mac addresses, email addresses and passwords, then uses these for phishing. Since many people use both weak passwords which are common across accounts, it's a hackers playground out there. The phishers don't necessarily change or hijack the email account, but use it for hit and run attacks.
          > > > >
          > > > > Just a FYI - I thought that one of my ex-ixia co-workers was just messing with me after my original report...I'm guessing that he has one of these real time phishers in one of his accounts as well.
          > > > >
          > > > > MAC address device validation is way too primitive in this day and age, and if the MSO's don't start giving us digital tokens, and some stronger security, the 4G guys are going to end your party pretty quickly since they at least can exchange a higher level of validation via SSL.
          > > > >
          > > > > This auto-sign in, while convenient, needs to disappear in a hurry from the MSO's before we suddenly find that someone like a non-US sovereign has made this into a practice and becomes sleeper resource in order to attack the US infrastructure. Smartphones and tablets contain more information than wallets that a pick-pocket take. There are too many tools out there which phishers can silently hijack MSO email accounts with significant ease.
          > > > >
          > > > > Aren't your security guys aware of this? This is serious stuff.
          > > > >
          > > >
          > >
          >
        • Manoj Tejwani
          Since yesterday I have been getting a black rectangular box on the bottom of the screen on Bloomberg (105 and 722). When I hit info or pause the scree -
          Message 4 of 11 , Nov 23, 2012
          • 0 Attachment
            Since yesterday I have been getting a black rectangular box on the bottom of the screen on Bloomberg (105 and 722). When I hit info or pause the scree - basically when some information is called into the screen the black box goes away. If I pause and rewind the scene the black box goes away like it was never that but comes back on in a few seconds.

            This is not a TV issue but seems like a broadcast or cablebox (SA 8300HD) software issue. I have tried booting the box.

            See image attached below.
            Has anyone seen this before or would have any ideas on what it could be?



            [Non-text portions of this message have been removed]
          • mwinslo5@optonline.net
            OT.. repost as separate topic
            Message 5 of 11 , Nov 23, 2012
            • 0 Attachment
              OT.. repost as separate topic

              --- In cablevision_digital@yahoogroups.com, Manoj Tejwani <manojtejwani@...> wrote:
              >
              > Since yesterday I have been getting a black rectangular box on the bottom of the screen on Bloomberg (105 and 722). When I hit info or pause the scree - basically when some information is called into the screen the black box goes away. If I pause and rewind the scene the black box goes away like it was never that but comes back on in a few seconds.
              >
              > This is not a TV issue but seems like a broadcast or cablebox (SA 8300HD) software issue. I have tried booting the box.
              >
              > See image attached below.
              > Has anyone seen this before or would have any ideas on what it could be?
              >
              >
              >
              > [Non-text portions of this message have been removed]
              >
            Your message has been successfully submitted and would be delivered to recipients shortly.