Another day, another vendor is caught running critical infrastructure on expired OS’s. This time Medicine, and Siemens medical scanners. This ICS-CERT advisory points out that Siemens PET-CT solutions are running on Windows 7, un-patched by Siemens since 2015 and thus at least 3 known security holes exposed. The corresponding Siemens advisory is to disable network connections for the devices until patched. I wonder how many more proprietary solutions with this issue we will come across.
Tag: Hacking
Social Bots and the creation of fake news
An enlightening article in MIT’s Technology Review on the work done by Chengcheng Shao and colleges at Indiana University on the impact of Social Bot Nets focusing on the propagation of news from 122 identified fake news sites into social media. This was then weighted against 15.000 stories from accredited news sites for comparison and setting up platforms to keep real and bot users apart in the analysis. Interesting read.
Do you have one of the 306,000,000 passwords already hacked?
Troy Hunt (of Have I Been Pwned) has made his collection of 306 million pawned hashes available online with a detailed explanation of the collection of the broken passwords, the sources and a general run through of NIST suggested strategies to make you passwords more safe.
For the inpatient ones the simple approach is to go straight for the checker and see if your password has already been pawned. My current password pass the test, but a worrying amount of my older and simpler passwords are all positive as pawned. Continue reading “Do you have one of the 306,000,000 passwords already hacked?”
Hacking a car wash to “attack” a car
An interesting article on Bleepingcomputer with another White Hat discovery: Now how to hack a PDQ car washing machine to damage the car it is washing. Not a very advanced hack, a poor web-server implementation with am authentication bypass. I wonder if this can also be used for free car washing?
Nation State hacking and it’s impacts (this time in the Middle East)
Nation State hacking gets little attention outside of when stupid mistakes are made (Stuxnet springs to mind), but is still prevalent. An op-ed by Adam Segal in NY Times has a good update on the recent activities in the Middle East, focusing on the alleged UAE hacking’s into Qatar news ond government systems. As was noted by Peter G. Neumann, this is not the first time we have seen this lately. Continue reading “Nation State hacking and it’s impacts (this time in the Middle East)”
DEFCON 25 – Electronic Voting Machines hacked
A write up on Alternet on the DFCON 25 hack attack on American Electronic Voting with an attached video showing the hacks done live. The attacks took from minutes to hours, but all where hacked and altered with little or no traces left behind. Another warning on using technology before it is ready for the use you intend. The safety in electronic voting has always been questioned, here is further argumentation against using the technology for elections until it is fault proof.
Brickerbot claims to brick 60K Modems/Routers in India
An interesting article on Bleeping Computer on a claim from a Brickerbot Dev that hey have bricked 60.000 modems and routers in Indian blocking subscribers on Bharat Sanchar Nigam Limited (BSNL) and Mahanagar Telephone Nigam Limited (MTNL) form accessing the internet. The obvious path of attack: default usernames / passwords exposed to internet. The joy of our IOT world continues!
How the Citadel Banking Trojan Authors really got caught
Brian Krebs has posted an interesting and moderately detailed rundown on how the FBI managed to track and capture the creators of the Citadel Trojans. The fact that the authors decided to crowd source the support of the Trojans to it’s customers and the subsequent fallout speaks volumes about the issues related with the commercial distribution and support of Dark Net services.
Another White Hat is arrested after reporting flaws
Another example of the perils of trying to help companies keep their website safe. The 18 year old Hungarian found a gaping hole in the security for Budapest’s Transport Authority. The resulting arrest enraged the Hungarian public, and the way the company handled the issues is a 101 course on how not to respond to public outrage. For those that want an English summary, here is an article on The Register.