cybergibbons
-
Posts
498 -
Joined
-
Last visited
-
Days Won
7
Content Type
Profiles
Forums
Events
Downloads
Gallery
Blogs
Posts posted by cybergibbons
-
-
I'm guessing none of you were contacted to tell you your data might have been leaked?
-
How about Alarming Company or Wakefield Security?
Fareham and Worthing? Both there.
CG
what is pentested?
and whats the report on?
Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested.
The report is about the encryption and general security of the CSL CS2300 signalling units.
-
I think there banning the browser id ?
I've not clicked a link to get the 403 page with IE (yet)
chrome, opera & not yet banned with IE
Ah, yes, sorry. The User-Agent is one of the factors they use, which is pretty stupid.
I meant how come it was showing in search results?
-
Should you wish to register...
IIRC it asks you if your co is already registered,
I clicked yes & select postcode of a local co.
& it shows you who at that co, is already signed up
Yes - IMO it still leaks data that it shouldn't. The problem was before it used to send the client all of the data in the background. You couldn't see it in the plain, but it was sent.
There's only a few options here:
1. They haven't been pentested. You'd kind of think the biggest signalling provider in the UK would do it.
2. They have been pentested by someone incompetent. If they gave money to the people who developed apprentices4fs.com, this is plausible.
3. They have been pentested and ignored all of the findings.
Who knows?
FYI, on the 23rd November, the CSL Dualcom CS2300 report is being published.
-
I have been sent a free sample sim - I didn't register though, so I wonder if the same database is used for internal purposes (unlikely, but possible)
Have a look for 'Casa Security'...
Number 25, Bristol area?
-
On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible.
http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/
If you would like to know if your company was one of the listed ones, I can check for you.
-
they appear to have banned my IP by following your link?
If I type "apprentice for security" into google 1st pags 1/2 down is london add,home IP bring up banned page
**edit**
must be cookie, as iphone on home IP displays page?
Can you screenshot it and blank out the IP? Interested to work out why that happened.
Surely it's pretty libellous leaving a page up listing someone's IP and saying they are some elite hacker.
-
Been fixed since your post??
They appear to have hidden that and the banned page, probably because they are being ridiculed in several places.
-
To be honest, if you are using common forum software, and anything custom was developed with a framework, or by a develop with any skill, you won't have these issues.
It's actually like they have gone out of their way to make it bad.
Happy to have a quick look over your stuff in the future, will need to send over a rules of engagement to legally cover us both. Much better to go into a touch more depth with some active attacks.
-
I mean, just visit this and read the **** they spout:
-
is it the worst one you have seen generally or just in the 'security' world?
It's the worst site I have seen that handles any more personal than email/password/forum posts. I've seen worse content management systems, but no one elses data has been put at risk.
This has been purely observation of normal behaviour on the site. If it was taken to active attacks, god knows what would be found.
-
Good find cg, i was reading on your site there is a lot of concerns. Have you told them?
They know about the blog post, that's it. I'm not into waiting when security is that bad - users need to be told
-
2.73 p/h as an apprentice... modern day slavery?
Yes, I won't pass comment on that.
No, actually, I will. I think the exploitation of young people in the guise of providing training is terrible.
-
If any of you use http://www.apprentices4fs.com/, I would advise not using it until they fix the plethora of security issues on their site.
http://cybergibbons.com/security-2/terrible-website-security-on-www-apprentices4fs-com/
This is amongst the worst website security I have seen from a company handling other's details.
-
should be careful giving them out as when employed by a company you sign a contract that would include some form of non disclosure. However any company that no longer maintains a system should be forced to default the engineers code or supply it to the new maintainer in my opinion.
Problem with that is that there is not traceability or accountability on a 4 digit code.
-
Your mum?
Yeah, he decided to start posting old addresses and employment related stuff....
-
What happened next?
I sent a load of documentary evidence to the police, my mum also registered a complaint. They kept it on file. Essentially it has to persist for longer than 8 weeks for them to persue it much further. It stopped, so I don't know if anything further got done.
-
9800 or 9800+ if showing 'LB'
I wonder if the power cut has cooked the NVM chip itself, a common fault at this age on the panel.
Try a complete power cycle, mains first then battery, and let us know. Beware of mains voltage if not a trained alarm technician or electrician.
But I would recommend replacement with a 9651, although new NVM chips are still available (despite their obsolescence within the wider IC industry)
Has someone stockpiled these? I can't remember the specific IC used, but it's not been made since 1996 or something.
-
cyber, how did the **** storm of stalking from FattMatt.Com end ?
I took it to the police, who said I needed to stop posting for them to persue it, so I did.
-
Yeah, I got all my Dualcoms off Matt, and a pile of other boards as well.
-
No no, where you wheely bin?*
* the management would like to apologise in advance for the fact that this joke doesn't really work as intended.
That is an incredibly bad joke.
-
Getting paid to annoy people by hacking their alarms now.
Not the Hatton Garden job though.
-
This is the paper from Defcon - it shows how most systems have real issues with jamming:
-
If you were the owner of a national company say and your code was being dished around publicly on a Facebook group, what would your response be??
I might have a bit of a think and wonder why every single panel I installed had the same engineer's code, and how I have no response plan if it got leaked.
Csl's M2M Sim Registration Portal Database Leak
in Members Lounge (Public)
Posted
Yeah... you look like one of the ones that very little info in there. But still there.