Tor friends, relay operators, and anyone who wants to learn about Tor: Join us at Hackerspace Valencia on Thursday, March 28. https://blog.torproject.org/events/tor-meetup-valencia
So I'm taking down one of the https://BrassHornCommunications.uk routers tonight to give it a long overdue upgrade (to OpenBSD 6.4).
We're currently pushing 680Mbit/s of traffic (low because most of the Tor Exits have already been shutdown for their own upgrades).
I don't think this router has been shutdown since it was commissioned in 2015 - if you see AS28715 flapping tonight you'll know I screwed something up!
The call for papers and presentations for @eurobsdcon 2019 (September 19-22 2019 in Lillehammer, Norway) is open. Please submit your talk or tutorial proposal through the registration system at https://registration.eurobsdcon.org. See you in Lillehammer!
There was a hiccup however; Ablative uses v4 UUIDs or sha256 hashes for virtually all ids / tags.
The CURRENT source shows VMM_MAX_NAME_LEN to be 64 https://github.com/openbsd/src/blob/master/sys/arch/amd64/include/vmmvar.h#L30 but `vmd -n` was throwing an error about the vm names being too long.
I was confused till I realized this change from 32>64 was only 4 days old!
I know that the folks at NCSC have bigger problems but would it kill them to hire a couple of junior infosec people, pay for Shodan accounts and work to identify the owners of all these unauthenticated samba boxes?
I regularly get emails from the NCA/NCSC about botnet / malware sinkhole hits from my ASN so it's not totally beyond their remit to do such a thing.
As soon as the press started asking questions the OAIC and First National started responding to my messages.
The breach is now closed and the "authorities" are investigating the breach.
Personal data is not something that should be hoarded, it is a toxic asset, it's borderline radioactive and businesses should respect the trust that people place in them when providing such data.
People deserve better. People deserve privacy.
Digging into the JS we find a function named js_show_resume which opens a new browser window at the following URL:
http://cdn.salesinventoryprofile.com/uploadedfiles/resumes/" + cv_filename
The path matches the S3 bucket and a subsequent request to the CDN URL with one of the (already opened) documents confirms we're on the right track.
I tried messaging the MD of the company offering this service but they didn't reply.
I could've waited longer but I owe nothing to the company & everything to the individuals.
I cc'd the press.
Worryingly this breach overwhelmingly affected young women whose name, home address, date of birth, phone #, email, job history & education had all been made public.
During the lull in contact I dived a little deeper into how this situation came about.
After searching for jobs with First National I found an advert that directed candidates to https://salesinventoryprofile.com
This website requires one to answer 300+ psychometric questions and then upload a CV.
It's all done via JS & SAJAX (PHP backed)
So, I spent some of the holiday period trawling through https://buckets.grayhatwarfare.com/ for personal data.
Unfortunately I found a few instances.
One of these made the news, a Real Estate agency in Australia.
The public, indexed bucket contained over 6000 CVs & cover letters, thankfully the cover letters identified the intended recipient.
I reached out to them (& the Aussie version of the UK's ICO) on Twitter but didn't hear back over the weekend or by COB Monday.
Anti Internet censorship / surveillance trouble maker & Darknet enabler. Infosec, Net & Ops at @BrassHornComms & @AblativeHosting GPG: 0x2AA6E6BC2184073C1779
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!