News:

Long overdue maintenance happening. See post in the top forum.

Main Menu

City Servers Hacked

Started by patric, September 13, 2012, 12:13:45 PM

Previous topic - Next topic

RecycleMichael

Power is nothing till you use it.

Gaspar

When attacked by a mob of clowns, always go for the juggler.

Gaspar

Quote from: shadows on October 03, 2012, 03:43:10 PM
_______________________________________________________________________________

The dollar tree is at the airport where millions of dollars of services and equipment are leased for a dollar a year.
Try B.A. and clean off your drive so the dump truck can dump a load of those green-backs.



My translator is broken.  Anyone got a bead on this?
When attacked by a mob of clowns, always go for the juggler.

nathanm

Quote from: Conan71 on October 03, 2012, 09:56:04 AM
And it took how long to figure this CF out?

The problem isn't stupidity, it's a lack of communication (or understanding) between the security consultant and the IT department. Whose fault that is, I can't say, but I've always known security consultants to be very clear about what they're going to do and very quick about notifying you what they've done after they've done it, precisely to prevent situations such as this.

"Labor is prior to and independent of capital. Capital is only the fruit of labor, and could never have existed if labor had not first existed. Labor is the superior of capital, and deserves much the higher consideration" --Abraham Lincoln

Townsend

Quote from: Gaspar on October 03, 2012, 03:50:31 PM
My translator is broken.  Anyone got a bead on this?

It's from the musical "Grease".

We go together Like rama lama lama ka dinga da dinga dong

Remembered forever

The dollar tree is at the airport where millions of dollars of services and equipment are leased for a dollar a year.
Try B.A. and clean off your drive so the dump truck can dump a load of those green-backs.

As shoobop sha wadda wadda yippity boom de boom
Chang chang changitty chang shoobop
That's the way it should be, wha oooh, yeah

shadows

Naw, there was no hacking done to the city computers.  It all reflects on the high priced surveys of city departments that always come back with "to much top heavy management". Even ex-councilors seem to grasp the over burden being carried by working poor citizens.  They missed the appraisal of  the former city hall by 90%.  Now the bond rating on ability to pay is less the AAA.   -AAA means there could be troubled waters ahead.
Today we stand in ecstasy and view that we build today'
Tomorrow we will enter into the plea to have it torn away.

rdj

Quote from: shadows on October 11, 2012, 10:27:11 PM
Naw, there was no hacking done to the city computers.  It all reflects on the high priced surveys of city departments that always come back with "to much top heavy management". Even ex-councilors seem to grasp the over burden being carried by working poor citizens.  They missed the appraisal of  the former city hall by 90%.  Now the bond rating on ability to pay is less the AAA.   -AAA means there could be troubled waters ahead.


The last bond issue by the city of Tulsa in March of this year received a Aa1 from Moody's.  That is one step down from the best.  It is a very small degree of difference from AAA.  Now the public facilities authority did receive a Aa2.  Which is still two steps removed from the top and still considered a high grade.  In comparison Moody's rates JPM as A2 which would be five steps from the top.
Live Generous.  Live Blessed.

patric

Got to be careful when you discover some website's poor security:

Expose Blatant Security Hole From AT&T... Face Five Years In Jail
from the security-through-threat-of-intimidation dept

A few years ago, we wrote about some hackers who exposed a really basic security flaw in AT&T's setup for iPad users. Basically, if you fed an ID to a website, it would return the email address of the account. And, on top of that, AT&T appeared to hand out the IDs in numerical order, so it was easy to just run through a bunch of IDs in order and collect a ton of users' info. And that's what these hackers did -- collecting a variety of emails including the President of News Corp., the CEO of Dow Jones and Mayor Bloomberg in New York. They got lots of other government officials as well: "Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others."

This seemed like a pretty massive flaw in the design of the system by AT&T... but of course, all of the blame is falling on the guys who exposed the hole. It seems noteworthy that the pair of hackers who exposed this are known for trollish online behavior, and Andrew Auernheimer, who goes by the name weev, has flat out called himself an internet troll. It seems that the FBI decided to use the trollish nature of Auernheimer and collaborator Daniel Spitler to argue that this hack actually violated the incredibly poorly-worded and misunderstood Computer Fraud and Abuse Act (CFAA). That's a law that we've been discussing for a few years now, as law enforcement and courts keep trying to stretch the definition of what counts as "unauthorized access" under the bill.

Unfortunately, in this case, a jury was convinced that the discovery of this security hole left by AT&T was actually a crime, and Auernheimer is now facing five years in jail. Not surprisingly, he plans to appeal. Of course, part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question, before eventually just revealing the security hole to the media.

Obviously, there may be a fine line between "white hat" exposure of security flaws and nefarious activity, but given that all that really happened here was the exposure of really poorly thought-out programming by AT&T, it seems bizarre that the guy who exposed it is now facing years in jail.

http://www.techdirt.com/articles/20121121/09030521112/expose-blatant-security-hole-att-face-five-years-jail.shtml 
"Tulsa will lay off police and firemen before we will cut back on unnecessarily wasteful streetlights."  -- March 18, 2009 TulsaNow Forum

nathanm

Don't get me started on that one. By the logic used in that case, there's no way to know whether you're violating the law or not unless you only ever click internal links on a given website. There are technical means by which servers tell you "no, you are not allowed to access this resource" and possibly offer a method with which to authenticate. at&t decided not to do that and got pissy when someone discovered their omission. On the bright side, it exposed the abuse the CFAA can be subject to.

It's also funny how great the misunderstanding of the technology was. In nearly every important detail the prosecution's argument flew in the face of reality. ICCIDs do not identify nor authenticate users in the way they are normally used, yet they were considered credentials. at&t made the data public, but somehow weev should have just known that it was intended to be nonpublic and that the ICCID was being used to authenticate users even though the ICCID is explicitly not secret nor (in the relevant standards) used to identify a particular subscriber.
"Labor is prior to and independent of capital. Capital is only the fruit of labor, and could never have existed if labor had not first existed. Labor is the superior of capital, and deserves much the higher consideration" --Abraham Lincoln