Computer hacking: how do we uncover online security flaws?

At one time my ISP was renamed to virusnet.

When I said “covered up ” I mean the mass media – newspapers / TV etc , what do the public watch ?-TV as witnessed by CPCW having massive sales due to, heavy advertising . Where are the newspaper headlines on all the hacks that continually take place in this country or TV headlines for that matter ? You and I can access websites describing methods of scamming/hacking/ malware etc but the general public dont as witnessed by Which giving out warnings and many convos on the subject just because Which advertises it not the other media . Which Convo brings in many complaints about the subject but its got to be put out where the public can see it . This convo is about making people aware of whats out there on the Web I just dont see the media doing the same because they think it will lose sales and profit will drop. At least which is making an effort .

Thanks Duncan. I think “covered up” is a “glass half-empty” viewpoint and the role of mass media is peripheral to the main topic here, which is more about the process of discovering, reporting and fixing vulnerabilities.

As for the (recently coined?) term “fileless attacks”, its prominence does perhaps show that regular antivirus s/w is now quite good at dealing with traditional virus attacks, i.e. where the user must be conned into downloading a file that contains a malicious executable program, before the main thrust of the attack can progress.

In that sense, there is really nothing new about the nature of “fileless attacks”. That said, as you suggest, an alternative name for them (e.g. “hostile websites”) won’t serve to encourage e-commerce for the benefit of Amazon and other business interests. (As we both already know “non-fileless attacks” generally only work against Windows systems, because downloaded files won’t be executable by default on more sensible OSes.)

With regard to the mass media, I think they generally need to pitch their stories so they can be understood by any average school leaver (i.e. with little or no qualifications or life experience), so it is hard for them to get into as much technical detail as we can here.

…primary school leaver, in the case of most tabloids…

Much in the same way as the first operation on many things has to be change the password, it is not beyond the wit of man for this to be a requirement on router installations – and I suggest it is disgraceful that that doesn’t happen where the defaults are empty, admin, 0000 etc. BT at least make their default router passwords unguessable and all different.

Good you brought that up Roger as a BT customer with one of their very reliable routers I cant figure out why they dont publicize it. Its one of the biggest pluses for hackers — get the default password and you get the rest.

Duncan, where I work similar safeguards are in force, as part of paid for endpoint solutions.

In another convo you recently said “A good commercial firewall AND internet malware/virus protection is definitely required for Windows…”, from the basis that software engineers won’t often work for free, all this has to bought and paid for.

It may be that the costs are too high to encourage these particular solutions from being marketed or sold to the general public.

You might be right Derek but should not the option be openly provided to those who want better security ?

Derek what the US defense industry are waffling on about is DMARC . I cant get into Sophos after accessing the website as my blockers wont let me to check the inner detail but it looks like a virus /malware type of blocker but maybe you could add to that , Click on https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ thats the simplified version the tech version is much more “brain heating ” .

I’ve often thought that the principle of paying extra on domain registration for anonymity is wrong and that the detailed information should only be available to officialdom – a bit like the DVLA database should be.

I didn’t say otherwise Derek , you do understand I posted this to alert the British Public not to alert the “cognitia ” ( yes the word exists ) or if you want more perfection – cognitus, on Which , this is ,after all a Convo on Hacking . You know and so do others the amount of posters on this type of subject complaining of- they know my name/ address/ etc and have hacked my router/modem.

Derek it took me by surprise that they were so easily downloadable on websites , okay some were obscure websites but young people would know them . The US websites I am on have data on them but thats different from having “open-house ” to the apps on the web . The hacking websites inform me of the latest actions by hackers and are not “Dark Web ” inhabitants but are there for good not evil. Show me the UK equivalents ?

Point of law Derek ( US law ) not in the three instances you quote but it is to USE it – the Computer Fraud and Abuse Act (CFAA) , see https://www.pbs.org/wgbh/pages/frontline/shows/hackers/blame/crimelaws.html I have not looked up UK regulations on it but hacking per se I take to be illegal in the UK ( unless you know otherwise ? ) .

Assumptions Derek , I never downloaded anything, why would I download as I dont use Wi-Fi and have it completely disabled in the main programming so that the hardware ( two types ) doesn’t function ? My ISP hasn’t blocked me accessing the website , anybody can , it isn’t political and its American not Russian . As I am also member of three US “freedom of access on the web ” websites I get all the latest action by the US government to control/slow down websites for profit etc I am against restriction and have signed their petitions to Congress , its as I posted the link , its illegal to actually use it . The UK has the same type of laws in other areas – okay to buy ( usually from the USA ) but illegal to use. Read up on Arch Linux , I dont need to download from “iffy ” websites arch contains the largest range of compatible programmes and programming that I have come across because if you install a programme outside its range it usually doesn’t work correctly as you have to allow parts of basic operation programming to make it function properly it also lets you know with BIG warning in red – Warning !! this programme isnt safe/ out of date / not kept up to the latest level security by updates etc -download at YOUR risk of installing infected software and corrupting your system . Then the whole system is constantly re-installed by updates with a new kernel but not the core, unlike Windows where you have to start from scratch with a complete re-installation and other Linux distros . I learned long ago using Windows 7 Prof . the bad side of downloading willy-nilly ( old obsolete expression ) .

Well you have a point Derek . Arch being different from the rest Blocks normal downloads by default in other words downloading an app/programme doesn’t install it nor is it able to function in any capacity but isolates it leaving you with a good bit of programming to install it. I only have a limited amount of third party programmes mainly audio/hi-fi and even there I had to install libraries etc from Pacman to make them function . But that the beauty of Arch you control it even if you destroy it. I had to remove two small browsers because Arch didn’t like them as they weren’t secure enough. One was a text browser I tried , worked for one day then locked up permanently the second locked up my screen ,as again, Arch wasn’t happy. I would rather have that than an “open to the web ” system.

Here’s one link. https://www.theregister.co.uk/2018/05/18/top_uk_court_agrees_to_review_spy_courts_immunity_from_judicial_review/

Thanks for the link malcolm .

Windows wont block what you authorise Derek thats how malware gets through , you have got to accept it first , the same as -dont click on that link etc in an email , if Windows anti-virus was that good the world and the UK wouldn’t be full of people getting infected by malware , its because they allow it also just like telephone scammers just do this or that to allow us to deposit our controlling Trojans/malware on your system , MS doesn’t stop that happening its not reached the AI stage yet in intelligence . Its supposed to protect you from yourself but if you okay it it gains entry , in any case this wasn’t some dumb virus easily spotted it was an up to date sophisticated one masquerading as a normal file. They were all packed with different malware strains from different manufacturers and packed as portable ex. files (PE) but all used the same source code . No virus control can boast of 100 % efficiency and hackers arent stupid in this category , no wonder both our government and the USA want to employ them .

Not Windows 10 Derek and I would never buy Android as its easy to hack . Are you saying Windows virus control will block your commands Derek ?

Okay prove to me that Windows 10 is “safe ” and that a user cant override the built in virus control . Tell the public its “safe ” Derek , when MVP,s cant answer a question they just repeat their statement leaving no answer , if you have one give it to the public , are you saying thumb drives are safe Derek ?

With intelligent use I don’t see much problem with using flash drives as long as you don’t use them for sensitive data or if you do then treat them as if they were confidential paperwork. I trust that most people are aware that simply deleting a file on a flash drive does not erase the data.

I think it is good to be aware of risks but if they are overstated then readers will just switch off.

Comparing fridge freezers and Microsoft Window 10 in the same category of public safety says it all to me Derek I dont trust your responses , I hesitate to say – “you cant be serious ” as tennis is in full swing just now . Come on Derek tell the public just how “safe ” Win 10 is in reality ? If you are telling the British public its as safe your fridge freezer I rest my case .

As you refuse to believe me Derek , have you heard of the USB malware -Bad USB ? detected by none other than the Chief Scientist and founder of Security Research Labs -Berlin- Karsten Nohl – quote Most of the USB thumb drives have a major dilemma like several other USB peripherals that they fail to provide protection to their firmware. This refers to that software which is known for running upon the microcontroller which is inside them according to the founder as well as the chief scientist of the Security Research Labs based in Berlin namely Karsten Nohl.This denotes that the firmware on a USB device can be replaced by any malware program with the help of SCSI (Small Computer System Interface) commands. Nohl further claims that it can be made to act as any other piece of hardware.This spoofed piece of hardware can then be used imitate key presses as well as transfer commands in order to download and for the execution of a malware program. This malware then can also be used for reprogramming the other USB drives which are put into the infected computer. This way it becomes a self-multiplying virus. I will stop before the tech detail as its “not approved ” here but of course – he doesn’t know what he is talking about –right ? I have tech website after tech website showing how vulnerable thumb drives are to hacking but of course – “they are all lying ” -yes ?