allow an attacker to get a corporate email account with which to conduct a little filet-o-phishing
with no server-side checking, allowing a Hamburglar to order food for free
eventually got through to a security McEngineer who said that they were "too busy" to fix the flaw
Coincidentally, I saw on linkedin last night they were hiring a Security Operations manager. They should get an Appsec person instead to fix those issues.
misteloct@lemmy.dbzer0.com
on 31 Aug 16:19
collapse
Professional software engineer here. Security Engineers don’t do that, they write harrowing reports that get ignored by Security Operations Managers.
I wonder if it was more like folks putting stuff together to just work (likely with demands of it getting done really quick). But then the folks that got it implemented forgot to change the default/placeholder stuff (at least for the passwords). Just like how basically all routers used to have the same log-ins that never got changed by the end-users because it “just worked” out of the box (even if the labels and setup clearly said to change them first thing). I really hate how companies of all sizes seem to think of IT/sec as something that is just a drain on money that could be used for making profits look better.
redlemace@lemmy.world
on 31 Aug 18:19
nextcollapse
Thnx but no thanks. Not eating McD even if i can order it for free.
I wonder if there’s a way that you can legally monetize the process, so the organisation who left a gaping hole … or several bazillion in this case … gets an education in corporate security and the researcher gets paid for their efforts. A corporate symbiosis if you like.
If course the non legal way is extortion … but that tends to go towards warfare and mutually assured destruction, rather than collaboration.
Perhaps this opens the door to a white hat penetration testing department at the corporate regulator who issues fines (which pay for the work) … but I’m not seeing any evidence of an appetite for anything even remotely resembling such a set-up anywhere on Earth.
Espionage on the other hand …
ArmchairAce1944@discuss.online
on 02 Sep 01:28
collapse
I remember there was a time when I would look at Hollywood hackers and say ‘nah, that’s unrealistic. Doesn’t happen that way’ and then in 2020 when I started reading about actual hacks i came to the realisation that not only is Hollywood hacking real, but the movies understate what can be done. It was like the opposite of learning that Santa Claus isn’t real.
The Hollywood hacking depictions are equivalent to seeing syringes being used on film. To the uninitiated it looks “real”, the reality is somewhat different.
Source: I’ve been an ICT professional for 40+ years and have had hundreds of (medical) needles poked in me over much of my life.
ArmchairAce1944@discuss.online
on 02 Sep 03:48
collapse
That makes sense. But maybe there is something else… Hollywood exaggerated what could be done too soon.
Take the classic 1995 films The Net and Hackers. (I love hackers now in a bittersweet way because of just how sincerely positive they felt towards the future and the future of the internet. Genuinely believing that it will forever be a place of a freedom and ruled by wild west cowboy hackers who will not only do things out of curiosity, but also never sell out. To be fair, they were going by The Hacker Manifesto ).
In The Net, you have a terminally online cybersec specialist (a female cybersec specialist, and terminally online… in the mid-90s. The former is believable, the latter is not… there just wasn’t THAT much to do online at the time) who gets her life torn apart when people erase her very existence using the internet. They state that ‘everything is online now’ meaning everything can be accessed and destroyed, thus rendering her a non-person with no records of who she because they purged all databases of her records.
In Hackers, you have somewhat the same thing play out… but it was done as a gag and clearly undone later. There is a US Secret Service agent causing the protagonists some trouble, so they make trouble for him by creating online dating profiles with his name and contacts (and putting extreme fetishes he does not have, thus having him be called by all manner of weirdos), cancelling his credit cards, and the funniest part: They have him declared legally dead somehow. All of this is undone of course, and the whole sequence played for laughs, but it greatly exaggerated what was and what wasn’t online at the time.
One thing that absolutely COULD have happened that I didn’t think was possible was in the 4th Die Hard movie, Live Free or Die Hard… in the movie the bad guys hack a city’s traffic lights and make them all green all the time, thus causing numerous traffic accidents. I rolled my eyes when I saw and said ‘nah, that can’t happen’… only for me to read later that not only could such a thing happen, but it could happen in the stupidest way possible. Some hacker managed to find a clear-net website of some town that had their traffic light control on… and it was 100% unsecure. Meaning anyone with the URL could have just gone on and caused a lot of damage. The person who discovered it, thankfully, did not. But the fact that it COULD have happened was astonishing to me.
Now you have so much shit going on it isn’t funny. I can’t keep track of all the major hacks that just keep happening. From the Tea hack, to Las Vegas being compromised, to all sorts o shit. It is just incredible.
Ilovethebomb@sh.itjust.works
on 02 Sep 05:20
collapse
I have serious doubts about the traffic light thing, any even remotely well designed systems would have interlinks that don’t allow green from multiple directions.
Shutting them down or changing the sequencing, sure, but not multiple greens at once.
threaded - newest
Oh yeah the free food guy, I heard about this one. Also the clusterfuck that is their employee backend.
They had fun writing this article:
Coincidentally, I saw on linkedin last night they were hiring a Security Operations manager. They should get an Appsec person instead to fix those issues.
Professional software engineer here. Security Engineers don’t do that, they write harrowing reports that get ignored by Security Operations Managers.
Executive leadership at its finest.
I am not mad at the vibe coders, I got cheese burgers!
Now, a new car would be great… Tell the CEO how great AI is and how much money they are going to save please.
Fucking vibe coders and their security flaws.
security through obscurity!
Security through obesity also
I wonder if it was more like folks putting stuff together to just work (likely with demands of it getting done really quick). But then the folks that got it implemented forgot to change the default/placeholder stuff (at least for the passwords). Just like how basically all routers used to have the same log-ins that never got changed by the end-users because it “just worked” out of the box (even if the labels and setup clearly said to change them first thing). I really hate how companies of all sizes seem to think of IT/sec as something that is just a drain on money that could be used for making profits look better.
Thnx but no thanks. Not eating McD even if i can order it for free.
I’ve been McD free since last year. Too expensive for the quality of food and they push their app too hard on people. Not worth the space on my phone.
We finally unmasked the Hamburgular
That’s a whole lot of incompetence from McD
You can pretty well guarantee there are plenty of security flaws left. If anyone wants free food, I’m sure it’s still easy to do
Thank you for helping corporations for free I guess. They’re proud of you.
Yeah … that thought occurred to me as well.
I wonder if there’s a way that you can legally monetize the process, so the organisation who left a gaping hole … or several bazillion in this case … gets an education in corporate security and the researcher gets paid for their efforts. A corporate symbiosis if you like.
If course the non legal way is extortion … but that tends to go towards warfare and mutually assured destruction, rather than collaboration.
Perhaps this opens the door to a white hat penetration testing department at the corporate regulator who issues fines (which pay for the work) … but I’m not seeing any evidence of an appetite for anything even remotely resembling such a set-up anywhere on Earth.
Espionage on the other hand …
I remember there was a time when I would look at Hollywood hackers and say ‘nah, that’s unrealistic. Doesn’t happen that way’ and then in 2020 when I started reading about actual hacks i came to the realisation that not only is Hollywood hacking real, but the movies understate what can be done. It was like the opposite of learning that Santa Claus isn’t real.
The Hollywood hacking depictions are equivalent to seeing syringes being used on film. To the uninitiated it looks “real”, the reality is somewhat different.
Source: I’ve been an ICT professional for 40+ years and have had hundreds of (medical) needles poked in me over much of my life.
That makes sense. But maybe there is something else… Hollywood exaggerated what could be done too soon.
Take the classic 1995 films The Net and Hackers. (I love hackers now in a bittersweet way because of just how sincerely positive they felt towards the future and the future of the internet. Genuinely believing that it will forever be a place of a freedom and ruled by wild west cowboy hackers who will not only do things out of curiosity, but also never sell out. To be fair, they were going by The Hacker Manifesto ).
In The Net, you have a terminally online cybersec specialist (a female cybersec specialist, and terminally online… in the mid-90s. The former is believable, the latter is not… there just wasn’t THAT much to do online at the time) who gets her life torn apart when people erase her very existence using the internet. They state that ‘everything is online now’ meaning everything can be accessed and destroyed, thus rendering her a non-person with no records of who she because they purged all databases of her records.
In Hackers, you have somewhat the same thing play out… but it was done as a gag and clearly undone later. There is a US Secret Service agent causing the protagonists some trouble, so they make trouble for him by creating online dating profiles with his name and contacts (and putting extreme fetishes he does not have, thus having him be called by all manner of weirdos), cancelling his credit cards, and the funniest part: They have him declared legally dead somehow. All of this is undone of course, and the whole sequence played for laughs, but it greatly exaggerated what was and what wasn’t online at the time.
One thing that absolutely COULD have happened that I didn’t think was possible was in the 4th Die Hard movie, Live Free or Die Hard… in the movie the bad guys hack a city’s traffic lights and make them all green all the time, thus causing numerous traffic accidents. I rolled my eyes when I saw and said ‘nah, that can’t happen’… only for me to read later that not only could such a thing happen, but it could happen in the stupidest way possible. Some hacker managed to find a clear-net website of some town that had their traffic light control on… and it was 100% unsecure. Meaning anyone with the URL could have just gone on and caused a lot of damage. The person who discovered it, thankfully, did not. But the fact that it COULD have happened was astonishing to me.
Now you have so much shit going on it isn’t funny. I can’t keep track of all the major hacks that just keep happening. From the Tea hack, to Las Vegas being compromised, to all sorts o shit. It is just incredible.
I have serious doubts about the traffic light thing, any even remotely well designed systems would have interlinks that don’t allow green from multiple directions.
Shutting them down or changing the sequencing, sure, but not multiple greens at once.