Category Archives: Security

Security

The “Bomb Magnet”, a British Soldier in Afghanistan

Leave a comment

The Sunday Telegraph has a fascinating first-person account of military operations in Afghanistan by the ‘bomb magnet’ soldier blown up 15 times. The A Company 4 Rifles fought against 500 attacks and had 200 IED incidents at Forward Operating Base Inkerman, Sangin, Helmand Province. One in four of the company were killed or injured by situations such as this one:

On another occasion, the sergeant major spent 26 hours in a Mastiff, which had been blown up by two Russian-made anti-tank mines stacked on top of each other.

Describing the event, he said: “We were moving down Route 611 to recover a vehicle which had been blown up after a 107mm rocket had been fired at it. The vehicle had burned for 36 hours and no one had gone near it but as soon as the fire went out, the area as flooded with kids. We recovered the vehicle and then returned along the same stretch of road two hours later on another job.

“What we didn’t know at the time was that the Taliban had managed to lay three devices in a carefully planned IED ambush in just 20 minutes, in broad daylight in an area being monitored by two bases with cameras.

Food, Poetry, Security

Hacking passwords to Hell

Leave a comment

Hell is actually a pizza chain that started in 1996 that now has 64 stores in New Zealand, England, Australia and Ireland:

Clever marketing strategy but a website they used to manage customer information is said to have been breached. A police report revealed more than 230,000 “entries” at risk with names, phone numbers, email addresses and passwords. Risky Business claims an exclusive on this story called I know what you ate last summer

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a ‘feature’ of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) – and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as “about 50 steps of fail”.

HD could have gone for the 9 levels of Infernal fail, or called it divinely comical, but 50 steps is still pretty good.

Food, Security

Camel Milk

1 Comment

The Daily Record reports that the FDA is considering camel milk. Camel dairies already exist in America and promote camel milk benefits

To milk a camel, you need warm hands, a gentle touch and quick timing — camels give milk only in 90-second bursts.

Gil and Nancy Riegler, owners of the nation’s largest camel dairy near San Diego, said the extra work pays off with milk that is therapeutic, nutritious and delicious.

It’s also illegal to sell in the United States.

Illegal to sell milk?

Millions of tons are produced in desert regions around the world but Europe and the US do not yet allow it to be sold. There is no doubt the hundreds of thousands of Somalis, Mongolians, Ethiopians in America alone would purchase the milk if available. The problem will be how to try and fit camels into the industrialized cattle model, or how to learn to let go of the cattle model and start over. A new approach to dairy sounds interesting — it might even improve milk quality enough to make quantity a non-issue.

The Camelicious dairy, opened in 2006, uses mechanized milking technology and trains camels to walk into the milking parlor. When the dairy first started, “the Bedouins said, ‘No way will the animals enter that milking parlor,'” said Peter Nagy, the Hungarian farm manager there.

He and his wife, both veterinarians, solved the problem, he said, but “I cannot explain exactly how this was done.” Mr. Nagy credits training by his wife: “A woman has a sixth sense” that allows her to “know how the animals feel.”

I would wager his wife also is good at information security and risk management. Reuters in Australia suggests Europe also is looking at legalizing camel milk.

“People with lactose intolerance can drink it with no problem, unlike cow’s milk, it doesn’t cause protein allergies, and it’s high in insulin,” said Ulrich Wernery, the scientific director of Dubai’s Centre for Veterinary Research Laboratory.

Similar in taste and appearance to cow’s milk, he said camel milk is closer in composition to human milk, making it a healthier option than cow milk.

Camel milk also is high in vitamin C, which Wernery said explains its importance to Bedouins, Arab desert nomads, who historically lacked fruits or vegetables in their diet and have been drinking camel milk for generations.

Many health benefits compared to cow milk, a history of safe consumption…the FDA would be wise to legalize.

Security

Malware Found on Dell MBoards

Leave a comment

A PowerEdge R410 replacement motherboard was shipped to a customer with malware already on it. The PowerEdge General HW Forum now informs him that it is nothing to worry about for seven reasons, which include the following:

The maximum potential exposure is less than 1% of these server models. […] Dell has removed all impacted motherboards from the service supply. New shipping replacement stock does not contain the malware. […] The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware.

I like the “nothing to see, move along” tone but here is my personal favorite:

Systems running non-Microsoft Windows operating systems cannot be affected

Cannot be affected? That sounds very promising.

Dell says the customers that received infected motherboards are being contacted by phone. That must make them sleep better at night, given that it was phone calls from Dell that started this whole worry thread:

I just got a telephone call from a service scheduler informing me that the replacement R410 motherboard I received several weeks ago contains spyware in its embedded systems management firmware, and wanting to schedule an additional service call for a tech to come clean it off.

Unfortunately since the person calling was non-technical, she was unable to provide a lot of details. But I do believe the call to be legitimate as she had the service tag of one of my systems which did indeed receive a motherboard replacement recently.

Does Dell have an official article documenting this issue and laying out further details and the potential risks? Obviously it causes me grave concern be informed of a vulnerability but not have all of the technical details, especially when they asked to be able to schedule the service call to resolve the issue at least ten business days in the future.