On Sat, May 31, 2008 at 12:47 PM, Russell Coker <russell@xxxxxxxxxxxx> wrote: > On Saturday 31 May 2008 10:34, "Justin Mattock" <justinmattock@xxxxxxxxx> > wrote: >> would this have been a better outcome. As for what happened at >> comcast, I really don't know, I just don't like hearing story's like >> that, The positive side is the hackers exposed holes which can then be >> fixed, but in this case the hackers exposed the holes, they just chose >> to ignore them,(if this is the case) causing a more of a wakeup call >> later in time. > > http://en.wikipedia.org/wiki/Comcast > http://en.wikipedia.org/w/index.php?title=Comcast&oldid=216058661 > > According to the above page (I give the URLs for the latest page and the > specific version that I cite) the comcast hack was based on "gained control > of Comcast's domain management console at Network Solutions". > > http://blog.wired.com/27bstroke6/2008/05/comcast-hijacke.html > > The Wikipedia page cites the above Wired article which says "the pair used a > combination of social engineering and a technical hack to get into Comcast's > domain management console at Network Solutions. They declined to detail their > technique, but said it relied on a flaw at the Virginia-based domain > registrar". > > Sufficiently advanced/dedicated/lucky social engineering can get through > almost any defence. A majority of such attacks involve tricking someone into > giving away their password. > > It is claimed that there is a flaw with Network Solutions software but no > evidence is presented. If the claim is correct then there would be nothing > that Comcast could have done in software as the problem would be some > combination of Comcast people and procedures combined with NetSol software. > > Web Apps are a problem area. One question I have been asked a few times is > about how to use SE Linux to secure a Web App that does something important. > The question often is effectively "how can I make a program which is designed > for the specific purpose of managing sensitive data not have the ability to > mis-manage it". The answer is that if you have multiple sets of data that > you want to keep separate then you can do it, but if you have it all together > then there's not much that can be done. > > I do however have some ideas for ways that it might be possible to use SE > Linux to improve the security of Wordpress, I'll have to blog about that. > But first I want to get a proof of concept. I expect that like most people > the Wordpress developers aren't enthusiastic about suggestions like "here's a > way that you could do a heap of work to solve something that you might not > even consider to be a bug, I'm not even sure it'll work but I'll tell you > anyway". > > Finally one lesson that can be learned from Comcast is that if some data which > is important to your operation unexpectedly gets changed to include profanity > then you need to take it as proof of a serious problem which requires > immediate action. Also if someone who has no good reason to know your job > calls you at home to discuss it then you should listen to what they have to > say - once they have demonstrated that they have access to secret data you > have to assume that there is more and you need to know what it is. > > -- > russell@xxxxxxxxxxxx > http://etbe.coker.com.au/ My Blog > > http://www.coker.com.au/sponsorship.html Sponsoring Free Software development > Thanks for the response, After reading through I get mixed emotions, but coming down to conclusions, personally the hackers responsible should take more responsibility for there actions and come out and admit how they performed the attack, and so forth. (but then I would be asked to get a reality check) overall It seems maybe they need a job. I can't tell you how many people have told me "the only way to get a job in computers is to hack into a big company, or government entity" I always responded "yeah right fuck that shit", "Don't do the crime if you can't do the time". Anyways the best would be to learn from the mistakes, or holes in this case and grow stronger. regards; -- Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
