If you look at ASIST/NNA_MNS_PartsServices_IMS-ASISTUserAuthentication, you can see that this is how password handling in ASIST works.
Hire a red team. Hire a really good red team. Pay them better than your blue team because they aren’t likely to work for too long at your place because, if they’re good, they’ll stir up all kinds of trouble… trouble worth having… but trouble that leads to nasty office politics.
This is how cars get Borg’ed.
I’ve been on both teams; I’ve torn parts of well-established commercial software apart in an afternoon and found worse than this, much to the deep annoyance of its purveyors. I’ve found deep errors, shortcuts, laziness, over-worked and under-worked stuff… outright lies…
I’m not sure what language I’m reading, looks like either ten+ year old JS or VB. Definitely something that’s sloppy loose on bracing, so I’m guessing VB?
I’m not familiar with rc4encrypt, but I presume ‘Amalesh’ is the salt? Squinting further at it, I fear that’s not it either. ZOMGs, I hope this isn’t part of anything important.
I’m not gonna touch the code with a ten-foot pole, but I just wanted to point out that if it has braces, it isn’t VB.
Braces could be C, C++, Java, JS, Perl, or PHP, and I suppose others as well. I’d consider C, C++, and Java to be the top contenders. Any #includes would point at C or C++. while Java would have import statements.
That’s C#. (wrote 10k lines of it for a project once… once was enough… I’ll charge more next time.)
They are using an old RSA algorithm to encrypt that password, but using a hardcoded key to do so, by the look of it. Looks to me like anyone with that key can get the passwords back.
Ah, gives me flash-backs to when I had to tell my boss at ****** that Borland’s Interbase dB had a backdoor.
I do the bulk of my professional development work in C# and it’s evolved into a really, really good language with some wonderful tools and the .NET stack is pretty great.
I fully blame the craftsmanship here rather than the tools.
I fully blame the craftsmanship here rather than the tools.
Oh for sure; there are fewer ways to get your face taken off with C# than some languages, but these guys managed it…
In the same project I had to write a substantial module in PowerShell because it was the only way to get the job done on the production server. Both cases, wrong tool for the particular job, but only tool available. C# is relatively slow and verbose for my work. If I want verbose I use Fortran03->08. Optimizes large array math operations like nothing else… … but we digress …
Military tests that jam and spoof GPS signals are an accident waiting to happen IEEE Spectrum, Jan 21, 2021
Near “Controlled Flight Into Terrain” in Texas last May due in part to nearby missile testing.
The pilot missed an approach on one runway due to high winds, then came around to try again. “We were forced to Runway 04 with a predawn landing with no access to [an instrument landing] with vertical guidance,” the pilot wrote. “Runway 04…has a high CFIT threat due to the climbing terrain in the local area.”
Of the GEO brand, another source said: “I’d never heard of GEO before; it’s not a known manufacturer. There have been availability issues for a while now, the world has been buying lots of laptops and sometimes they are buying what they can get because the media and opposition parties are saying: ‘You’ve got to roll this out quicker’.”
Of course, the problem is the media and the opposition parties.
That you’ve got kids who’ve been trying to get their schooling via their mum’s phone since last March (apart from the period where they were being used as a superspreader trial programme) is clearly something that one really needs to take more time to sort out.
If it wasn’t for those nasty opposition parties fulfilling their constitutional role by holding the government to account, those kids could have reached the end of their legally required period of education and gone on UC where we wouldn’t need to provide them with a laptop and they’d never have needed to worry about malware.
Well, except for when their local hospital gets hit with a malware blackmail attack. But that’s just the open market at work.
There’s a reason I keep my IT infrastructure very, very conservative. Sadly, no target is out of the question: my local school board has had their sites down for a week now after a ransomware attack.
The NYer article is good, but I think the “next” cyberattack is the same one that’s been going on for 20 years and has nearly robbed us of our democracy. Shoshanna Zuboff is a smart cookie and gets it close enough to right:
A long time ago I read a comic book that took place in the future. One of the issues showed a villain who defined himself as technoshaman who, just for the LOLs, released a computer virus in several hospitals, killing a lot of patients.
I never thought I was going to live in an edition of one of those horrible comic books from the Marvel 2099 universe.
(wrote 10k lines of it for a project once… once was enough… I’ll charge more next time.)
… but we digress …
Near “Controlled Flight Into Terrain” in Texas last May due in part to nearby missile testing.