SendGrid email service hacked, customers told to reset passwords and DKIM keys

Most of us know about bulk email – it’s the blanket term which can be used in relation to the mountain of legitimate newsletter subscriptions and marketing emails we may have clogging up our inboxes, as well as the unsolicited junk messages, scams and phishing campaigns that spammers abuse us with.

What is less well known is what transactional email is.

> Read More

Hackers break into Linux Australia server, plant malware, steal personal information

Linux Australia has warned its members and conference attendees that their personal information may have fallen into the hands of online criminals, following a breach of the organisation’s servers.

In a mailing list posting, Linux Australia Joshua Hesketh confirmed that a malicious hacker attacked the site between 04:00 and 06:00 local time on 22 March using what is described as a “currently unknown vulnerability”.

> Read More

You’re Still Using Clear Text Passwords!?

This week I was doing some poking around in the hacking forums. Someone recently posted a huge password list. These get circulated around from time to time. It’s a long list of words and character sequences people commonly use for passwords. The intent is that you feed the list to a tool like John the Ripper which is a brute force password cracking tool.

> Read More

Hacking (Protecting) Your POS System

In the House of Cards series of posts, I walked you through gaining access to a company’s network through an online portal in order to exfiltrate credit card data. It was a lengthy process, but the target company had enough data to make the time investment worthwhile.

Most credit card data thefts come from POS systems of small- to mid-sized companies.

> Read More

Is Your Organization a House of Cards – Part 5

This is another in a series of posts (parts 1, 2, 3, 4 ) discussing how I’m infiltrating an airline’s network to gain access to credit card data. I’ve identified a vendor for the airline and am in the process of retrieving saved passwords from the vendor’s Chief Accountant’s browsers.

> Read More

Is Your Organization a House of Cards – Part 3

In my last 2 posts (part 1, part 2) I explained I will be walking you through the attack of an airline company in order to obtain credit card data I can sell. I’ve identified an airline, Lychee Air, flying out of Hangzhou Airport. I was able to use a not-so-public IP camera to watch and learn the name of the company that caters Lychee’s planes.

> Read More

Is Your Organization a House of Cards – Part 2

In my last post, I explained I will be walking you through the attack of an airline company in order to obtain credit card data I can sell. Now I have my project defined. The first step is to identify a target. Because I’m looking specifically for an airline, I can’t just start scanning ports on web IP addresses at random and expect to find one.

> Read More

Is Your Organization a House of Cards?

Some data breaches get a lot of attention in the news. When a large amount of data is taken from a popular retailer or organization, it makes big news in the media, and law enforcement gets interested. They like to be seen investigating the biggest crimes so everyone thinks they are doing their job. On the other hand,

> Read More

Infosec Haiku

Anata no joho sekyuritei konshu no haiku

Sony Hack Is Called
“Snowdon for Corporations”
This 5h1t Just Got Real


### Notes ###
* Thanks to Ms. Etsuko vdH for the translation.
* Thanks to everyone who’ve contributed their haikus …

> Read More

Did North Korea Hack Sony? It Seems Hard to Believe

There’s plenty of rumours and speculation, but one thing is certain: something has gone awfully awry with the computer systems at Sony Pictures Entertainment – the television and movie subsidiary of the huge Sony Corporation.

The media has been full since last week with reports that the company has shut down its servers,

> Read More

Avoiding the User Blame Game

It might not be part of any formal forensics or incident response policy, but odds are at most organizations, whenever a malicious hacking attack hits the mark there’s one step rarely missed: blaming the user.

Users do some boneheaded things sometimes so pointing the finger at them is easy. But the truth is if IT has never developed a systematic way to make sure users know about the risks and company policies meant to reduce those risks online,

> Read More

Securing the Internet of Things

Gone are the days when the Internet was something accessed only through a PC attached to an Ethernet plug. Access is now available from anywhere and via a multitude of form factors. The Internet has moved beyond the computer and even your smartphone into the most unlikely of things. Your TV, your thermostat,

> Read More