lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue Jun 27 00:58:14 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Attachable devices; corporate networks; yahoo;
	securityfocus

This stuck out for me today when I opened up Securityfocus, and I
don't usually mention Securityfocus News articles because they are
crimge worthy nearly everyday, although this one today hit a nerve for
me...

I wasn't allowed to say on Securityfocus.com that I thought usb drives
just come under the "wireless" threat. Like laptops, like mobile phone
and other attachable devices, which walk into Sunnyvale. And that the
Securityfocus news article was a "non news". We've been hacking Yahoo
for years by first of all tracking down employees via weblogs (another
threat Yahoo won't listen to us about), where employees are openly
saying their job tlte description and talking about inside yahoo,
(which is a security threat in its self), so we  are able to know
we're targeting the right employee. (Plus we are able to target Yahoo
employees because of this http://www.flickr.com/photos/ycantpark
website where yahoo employees take pictures of cars parked outside
sunnyvale, including number plates in full view, so now we know where
exactly employees live. Yahoo security team do not see the flickr
account as a threat to corporate security of data or its employees and
will not shut the web site down. Even though we've e-mailed yahoo
security to tell them that its directly a threat. I won't go into
detail on a public list exactly how these photos can be used, but
think about the 'mind think' of stealing devices (or paperwork) from
that car if its down town away from sunnyvale, or /and/ follow car to
home address of employee... break into home... infect computer, or
steal paperwork, or device. Under normal circumstances a member of the
public cannot stand in a sunnyvale carpark and take pictures can they?
with yahoo employees, the task of the corporate hacker is made easy.).
We then goto hack their weblog, server, and personal home computer.
This is the same home personal computer that they plug in their 'plug
n play devices', including USB, like all other attachable plug n' play
device. We infect that flash drive, laptop, mobile phone, and then
wait for Yahoo employee to walk into the Sunnyvale internal backyard
network, where the employee plugs in their plug n play device. This
allows us to take over complete comtrol of that employees
corporate-side computer, and the enitr entire network that device has
plugged into. It makes no difference if its USB , or a laptop, mobile
phone, the threat is the same. Securityfocus wouldn't let me post
under their article, as they don't believe in freedom of speech, even
though we have killed all over 38,000 civilians (so far) in Iraq for
freedom of speech seems to have gone to waste, and a statistic which i
am personally furious about, especially when I try and post on a
western security news site and i am denied my right to express my
personal opinion.

People we've killed for freedom of speech http://www.iraqbodycount.net/

Securityfocus "News" article about attachable devices
http://www.securityfocus.com/news/11397  which everyone has been
exploiting for years, although Securityfocus think this is news
worthy.

The technique to hack a corporate network has been used for years
using plug n play devices... (Yes, including USB flash memory
sticks...).

Securityfocus didn't research the technique before reporting "Secure
Network Technologies" and how credible that news would be for the
Securityfocus front page readers.

And that was all before the biggest surprise of all, once you open the
article, I was met with a commercial banner at the top of the
Securityfocus website advertisng this:
http://adserver.securityfocus.com/RealMedia/ads/click_lx.ads/www.securityfocus.com/home/1879095141/Top/OasDefault/GFI_05_24_06_Banner/ESEC_BlueUSBstick(728x90).gif/63336263393830653434386663623430

Which then made me think, why am I visiting Securityfocus, they are
just writing up articles depending on what sponsors they have that
month, than actual "news" that people need to know about to security
their corporate network.

Thanks for listening,

n3td3v

Yahoo don't see a computer threat being a real life threat... people
stealing attachable devices / paper work from cars etc. We tried
mailing Yahoo for years about all of the above, they don't listen.
Yahoo, why don't you start taking security seriously, not just a
slogan you give to your Yahoo media relations team to push out to
online news journalists, to look professional. Actually mean what you
say, and secure Yahoo from electronic computer attacks on your
network, which have originated from targeting Yahoo employees via
weblogs, cars in your car park and the home computers of your
employees and the devices (including USB flash memory) they carry in
and out of Sunnyvale everyday.

Powered by blists - more mailing lists