Here's an excellent story that Mr. Bock found on Bruce Schneier's blog.
It gives a whole new meaning to "March Madness" :)
Social engineering is still quite effective, alive, and well!
cheers
jk
March 16, 2006
Qwest Voice Mail setting is unsecured
I've had Qwest voice mail for a number of years now (probably around 10). I've always had it set to ring 4 times before going over to voice mail; 4 is a pretty reasonable number of rings IMHO.
Recently, the phone would ring 2 times and then go to voice mail, making for numerous missed calls (some of which were telemarketers, so i didn't mind THAT much). Obviously, someone or some interal Qwest system changed that value from 4 to 2 for me as I didn't even know how to change it.
I finally got tired of sprinting to the telephone to pick it up before 2 rings, so I searched Qwest for the answer on how to change this voice mail setting and came up with the answer.
So, I called 800-669-7676 per the instructions, entered in only my telephone number and chose the number of rings (2-8 is allowed). Reread the last sentence. Notice how I did NOT need to type in my account password, last 4 digits of my social or use my account code (as found on my monthly statement).
Just to be sure I didn't make sure I didn't 'miss' something, I tried again and again was able to change my voice mail settings w/o providing any real authentication credentials.
THE SYSTEM ALLOWS ANYONE TO CHANGE ANYONE ELSE'S VOICE MAIL SETTINGS!!!!!!!!!!!!
From a privacy/security standpoint, this annoyed me, so I called 800-669-7676 again, punched the zero key a whole bunch of times so I could actually talk to someone, and asked about this. The response I received is that since the number of rings for voice mail is a low priority thing, that "it is unnecessary" to secure it. I asked if the changes were logged (because I wanted to find out when my account got changed from 4 to 2 rings) but that information was unavailable. Ok, I grant you the value of the asset in question here (# of rings) is low, but it is just the premise here that is troubling:
1) Why can someone change my account settings w/o my authorization
and
2) what other systems does Qwest have that allow similiar changes?
One of my friends suggested how easy it would be to build a war dialer and randomly change people's voice mail rings daily. As I found out, 2 rings is akin to mini-DoS attack!
So, I'm hoping that if this information becomes public, it will cause a change at Qwest, and hopefully not spawn an epidemic of random voice mail ringer changes!
jk
Recently, the phone would ring 2 times and then go to voice mail, making for numerous missed calls (some of which were telemarketers, so i didn't mind THAT much). Obviously, someone or some interal Qwest system changed that value from 4 to 2 for me as I didn't even know how to change it.
I finally got tired of sprinting to the telephone to pick it up before 2 rings, so I searched Qwest for the answer on how to change this voice mail setting and came up with the answer.
So, I called 800-669-7676 per the instructions, entered in only my telephone number and chose the number of rings (2-8 is allowed). Reread the last sentence. Notice how I did NOT need to type in my account password, last 4 digits of my social or use my account code (as found on my monthly statement).
Just to be sure I didn't make sure I didn't 'miss' something, I tried again and again was able to change my voice mail settings w/o providing any real authentication credentials.
THE SYSTEM ALLOWS ANYONE TO CHANGE ANYONE ELSE'S VOICE MAIL SETTINGS!!!!!!!!!!!!
From a privacy/security standpoint, this annoyed me, so I called 800-669-7676 again, punched the zero key a whole bunch of times so I could actually talk to someone, and asked about this. The response I received is that since the number of rings for voice mail is a low priority thing, that "it is unnecessary" to secure it. I asked if the changes were logged (because I wanted to find out when my account got changed from 4 to 2 rings) but that information was unavailable. Ok, I grant you the value of the asset in question here (# of rings) is low, but it is just the premise here that is troubling:
1) Why can someone change my account settings w/o my authorization
and
2) what other systems does Qwest have that allow similiar changes?
One of my friends suggested how easy it would be to build a war dialer and randomly change people's voice mail rings daily. As I found out, 2 rings is akin to mini-DoS attack!
So, I'm hoping that if this information becomes public, it will cause a change at Qwest, and hopefully not spawn an epidemic of random voice mail ringer changes!
jk
March 14, 2006
Free CDs highlight security weaknesses - Computerworld
Free CDs highlight security weaknesses - Computerworld
Even a low tech scam like this was 75% effective! "While the front of the CD contained a written warning to users to check their company's internal security guidelines before running the CD, as many as 75 of the 100 CDs were played."
People are still the weakest link in security: "The experiment underscores what experts say is the weakest point for IT security: people. While many companies have policies and make their employees sign legally binding documents with rules of use for company computers, it's doubtful users get specific training on why those rules are in place, Chapman said."
Forewarned is forearmed I guess...
BTW, if people are giving out free Milli Vanilli CDs, that is also a dead giveaway that it contains 'very bad things' :)
cheers
jk
Even a low tech scam like this was 75% effective! "While the front of the CD contained a written warning to users to check their company's internal security guidelines before running the CD, as many as 75 of the 100 CDs were played."
People are still the weakest link in security: "The experiment underscores what experts say is the weakest point for IT security: people. While many companies have policies and make their employees sign legally binding documents with rules of use for company computers, it's doubtful users get specific training on why those rules are in place, Chapman said."
Forewarned is forearmed I guess...
BTW, if people are giving out free Milli Vanilli CDs, that is also a dead giveaway that it contains 'very bad things' :)
cheers
jk
March 06, 2006
Google makes a funny
For googles (I mean giggles) I Googled for the word maps. My assumption was Google Maps would come up as the first search result; apparently my assumption was incorrect...LOL
cheers and happy mapping
jk
cheers and happy mapping
jk
February 25, 2006
Xbox.com | Xbox 360 - Original Xbox Games on Xbox 360
Xbox.com | Xbox 360 - Original Xbox Games on Xbox 360
a link for me so i don't have to Google for it all the time
Hopefully there will be more on this list soon!
jk
a link for me so i don't have to Google for it all the time
Hopefully there will be more on this list soon!
jk
Waterfall 2006 - International Conference on Sequential Development
Waterfall 2006 - International Conference on Sequential Development
A coworker (PeteS) forwarded this through our technical email list and it was too funny not to post :)
My favorite is wordUnit
hope to see y'all there! :)
jk
A coworker (PeteS) forwarded this through our technical email list and it was too funny not to post :)
My favorite is wordUnit
hope to see y'all there! :)
jk
February 15, 2006
A good, good day
It was a good, good day today.
I (re)started at Magenic Technologies on 2/6/2006 and am very happy to be back! Lots of friendly faces that I knew from before, and lots of friendly new faces as well!
1. I became billable again this afternoon for a client in downtown Minneapolis. I will be building web services (ASMX & WSE 2.0 currently) in an SO environment. The project is really cool and is a great fit for me. Plus, there is just something cool about working downtown Minneapolis!
2. I got an XBOX 360 today, which is perfect timing as I sent my old XBOX in for repairs (DVD drive failing; can't read discs anymore). The new dashboard is cool and the wireless controller is very nice. I don't have any games yet (the only backwards compatible game I have is Namco Museum). I downloaded Gauntlet (yes, the Atari game circa 1985) to play which was quite nostalgic! :) I'm looking forward to picking up another controller and perhaps a few games for the new console so I can make better use of the hardware than playing 21 year old coin-op games like Gauntlet, heh heh...
see you online!
jk (snk13)
I (re)started at Magenic Technologies on 2/6/2006 and am very happy to be back! Lots of friendly faces that I knew from before, and lots of friendly new faces as well!
1. I became billable again this afternoon for a client in downtown Minneapolis. I will be building web services (ASMX & WSE 2.0 currently) in an SO environment. The project is really cool and is a great fit for me. Plus, there is just something cool about working downtown Minneapolis!
2. I got an XBOX 360 today, which is perfect timing as I sent my old XBOX in for repairs (DVD drive failing; can't read discs anymore). The new dashboard is cool and the wireless controller is very nice. I don't have any games yet (the only backwards compatible game I have is Namco Museum). I downloaded Gauntlet (yes, the Atari game circa 1985) to play which was quite nostalgic! :) I'm looking forward to picking up another controller and perhaps a few games for the new console so I can make better use of the hardware than playing 21 year old coin-op games like Gauntlet, heh heh...
see you online!
jk (snk13)
January 31, 2006
Indigo Gotcha #2 was : WCF Config file intellisense... why hath thou forsake me?
Thank goodness for IntelliCrack, espically for new technologies whose help files are skimpy to non-existent a la Indigo/WCF
I was having the same issue as Bryan, and by changing
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
to
<configuration>
allowed vs.net 2k5 to start displaying IntelliCrack again.
Note: I am not complaining, but rather am thankful for schema. XSD is love. ;)
jk
btw, IntelliCrack was my very first Wikipedia contribution! It is fun to contribute, albeit something silly...
I was having the same issue as Bryan, and by changing
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
to
<configuration>
allowed vs.net 2k5 to start displaying IntelliCrack again.
Note: I am not complaining, but rather am thankful for schema. XSD is love. ;)
jk
btw, IntelliCrack was my very first Wikipedia contribution! It is fun to contribute, albeit something silly...
Indigo gotcha #1
In working with Indigo (Jan CTP), if you try to generate metadata (WSDL, XSD) from an assembly, make sure it is a dll and not an exe, or you get a misleading error message like:
C:\Projects\Indigo>svcutil.exe "C:\Projects\Indigo\bin\Debug\MyIndigo.exe"
Microsoft (R) Service Model Metadata Tool
[Microsoftr .NET Framework, Version 2.0.50727.129]
c Microsoft Corporation. All rights reserved.
Error: There was an error exporting the ContractDescription loaded from the type: Foo.IBarService, MyIndigo, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
Duplicate contract QNames are not supported.
Another ContractDescription with the Name: IBarService and Namespace: http://services.foo.com/bar/v1 has already been exported.
This happened when I was writing a self-hosted service using a console application and for ease of initial development included the service, message and data contracts in the self-hosted service. I really wanted to get the WSDL out of the service so I could tweak it (that is a whole other post).
Long story short, I changed the project from a console application to a class library and reran svcutil.exe and all was well in Indigo-land again:
C:\Projects\Indigo>svcutil "C:\Projects\Indigo\bin\Debug\MyIndigo.dll"
Microsoft (R) Service Model Metadata Tool
[Microsoftr .NET Framework, Version 2.0.50727.129]
c Microsoft Corporation. All rights reserved.
Generating Metadata Files...
C:\Projects\Indigo\services.foo.com.bar.v1.wsdl
C:\Projects\Indigo\schemas.microsoft.com.2003.10.Serialization.xsd
C:\Projects\Indigo\services.foo.com.bar.v1.xsd
If this post saves even 1 person some debugging time, it was worth it! :)
I'm glad Indigo is (almost) here!
jk
January 24, 2006
The Amazing Message Plant! (and Monkey phone call)
I heard about the The Amazing Message Plant! on the 93X half-a**ed morning show on my drive in this morning. Right now, there are only stock messages, but when they get the custom message feature added, can you even imagine the possibilities?
In a similar genre, Glen was showing us http://www.monkeyphonecall.com/. This site is powered by actual SM2C technology "(simulated monkey to consumer)" to make the magic happen. Again, quite amazing :)
I hope this brightens your day as it has mine :)
jk
In a similar genre, Glen was showing us http://www.monkeyphonecall.com/. This site is powered by actual SM2C technology "(simulated monkey to consumer)" to make the magic happen. Again, quite amazing :)
I hope this brightens your day as it has mine :)
jk
Subscribe to:
Posts (Atom)