Kentico disputed that such attacks point to a vulnerability in its systems, stating that its default settings allow any user to upload file and that it is up to its clients’ website administrators to restrict upload permissions. Kentico confirmed to The Intercept that “media libraries are not secured by default” and that the “default admin account has no password.”
Insecure defaults ARE vulnerabilities you twits.
Fun story.
Way back in the dialup BBS days, (When I had a 1200bps modem and 640KB of RAM), I happened to get access to a local unlisted hacker board, because I knew somebody who knew somebody who knew about it. Somebody there had come across a (long-distance) government BBS phone number and posted a ‘challenge’ for anyone who could hack into it.
Having wardialed to find some local unsecured anonymous dialins, I used one of those to telnet to a system near the target that had a dialout, and decided to take a look.
Up pops the MOTD (Message Of The Day), which, as was common at the time, told you what BBS you were connecting to, what department it belonged to, and the sysop’s name and phone number in case you needed to contact them about difficulty logging in or something. Then the login prompt asking for your name.
On a whim, I typed in the sysop’s name from the MOTD screen. It then asked me to reset my password, so I did, and suddenly had full sysop-level access to the system. Because the sysop had never set a password and used his real name as both his login and on the pre-login screen.
It was literally that simple to get full access to a government system.
As a kid, of course I poked around to see if I could find anything interesting but it was basically all old people talking about boring administrative stuff. Some of the private emails were members saying catty things about other members, which was mildly amusing, but I didn’t know any of them or care about a bunch of old people gossip.
So using my newfound admin powers, I created a couple of new limited-access accounts without access to anything except logging in, seeing the main menu, and messaging the sysop. I used one to send a message to the real sysop, telling him about the problem with his system, and posted the other login’s credentials to our local hacker board so that anyone else could get in and see that yes, I did in fact get access (but they couldn’t actually do anything).
That got me accepted into the local ‘hacker elite’ culture, such as it was in my southern town at the time. They were shocked and appalled that I didn’t have the latest expensive 14.4k modem, but made allowances since I’d cracked a government system.
But it was something that any 13 year old kid with a cheap outdated computer and a little spare time could do without even really trying.
Microsoft eggheads say AI can never be made secure – after testing Redmond’s own products
Microsoft brainiacs who probed the security of more than 100 of the software giant’s own generative AI products came away with a sobering message: The models amplify existing security risks and create new ones.
The 26 authors offered the observation that “the work of securing AI systems will never be complete" in a pre-print paper titled: Lessons from red-teaming 100 generative AI products.
[…]
It’s just metadata, nothing to worry about. /s
This problem has been around for a while; there’s a Github ‘issue’ from May 9, 2024 talking about two fake sites (‘brew dot mom’ and ‘breiw dot com’). In theory, it’s possible that any Homebrew installs in the past several years could have been from this (or a similar) fake site.
Definitely important to keep it on people’s radar, though!
Okay, what’s a good way to check whether all my downloads are from the right homebrew?
Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet
Nope, coming up blank…