Re[4]: 16.05.2023-13:21:39 :: Something smarter than us is going to emerge


node:	Re[4]: 16.05.2023-13:21:39
template:	4
parent:	Re[3]: 16.05.2023-13:21:39
owner:	drakh
viewed by:
created:	18.05.2023 - 14:30:30

cwbe coordinatez:
101
63540
63590
5734320
9063541
9063815
9063832
9064202
9064209

ABSOLUT
KYBERIA

permissions
you:	r,
system:	public
net:	yes

neurons
stats|by_visit|by_K source tiamat K|my_K|given_K last commanders polls
total descendants::3
total children::2
show[ 2 | 3] flat

https://arstechnica.com/information-technology/2023/03/hackers-drain-bitcoin-atms-of-1-5-million-by-exploiting-0-day-bug/
https://www.generalbytes.com/en/news/general-bytes-statement-on-the-security-incident-that-occurred-on-march-18-2023

v skratke:
hackeri poskenovali digitalocean a nasli si ipcky a servicy ktore im patria
nasli endpoint ce ktory sa uploadovali videa a obrazky na identifikaciu usera
cez tento endpoint vedeli nahrat vlastnu java aplikaciu, a spustit(toto je velike wtf)
tymto to viacmenej nakompletku pwnli

This resulted in the following:
- Ability to access the database.
- Ability to read and decrypt API keys to access funds in hot wallets and exchanges.
- Send funds from hot wallets.
- Download user names and their password hashes and turn off 2FA.
- Ability to access terminal event logs and scan for any instance where customers scanned private keys at the ATM. Older versions of ATM software were logging this information.

cele to bol vraj 0day exploit. A danu zranitelnost predtym neodhalili ziadne pentesty (este vacsie WTF)

akoze ked takuto chybu ala diery v PHP aplikaciach z roku 2000 pentest neodhali tak to je ze total lamerina. ak teda tie pentesty ozaj davali robit.

00000101000635400006359005734320090635410906381509063832090642020906420909070122

dudel 16.06.2023 - 14:17:58 level: 1 UP New
Re[5]: 16.05.2023-13:21:39

wtf? to som ani nepostrehol tuto kauzicku
tak to je pekna lamerina teda. alebo to naozaj boli top hackeri? :)
00000101000635400006359005734320090635410906381509063832090642020906420909069041

niekt0 09.06.2023 - 18:36:08 level: 1 UP [2K] New
Re[5]: 16.05.2023-13:21:39

Pentest ti (z definicie) nemoze odhalit 100% veci, uz len preto ze je to typicky blackbox. Plus ako pentester sa sice snazis najst co najviac chyb, ale ked uz to dajme tomu kompromitujes inak, tak tvoja motivacia dost klesa. Aj v projektoch kde su zdrojaky dlhodobo verejne dostupne, sa po rokoch aj desiatkach rokov najdu zasadne bugy (openssl, linux kernel, ..., ... )

S tym ze chyby boli su a budu sa musi pocitat, pentest si nemozes dovolit nespravit, to si koledujes o problemy tak nejak s istotou, ale nefunguje to tak ze spravim si pentest, a teraz som voci problemom s bezpecnostou imunny. Ani rozne code reviews nemaju 100% ucinnost, vzdy odhalist nejaku cast problemov (a ak ich je vela, urcite je vzdy dobry napad hladat okolo), ale istota sa v tejto branzi moc nenosi. Formalne verifikacie dost pomahaju (aj ked v praxi ta ich implementacia nie je 100%, aj openssl bolo akoze formalne verifikovane, ale iba niektore casti), ale pre projekty tohto rozsahu nie su prakticky realizovatelne.

(plus potom nie je pentest ako pentest, (code-review, whatever), je tam ista miera heuristiky testera, a rozni hackeri maju roznu mieru skusenosti, talentu, specifickych povahovych vlastnosti, je tam prestor pre ludske chyby, mentalne rozpolozenia, atd, atd)

more children: (1)