cybergibbons

Yeah... you look like one of the ones that very little info in there. But still there.

I'm guessing none of you were contacted to tell you your data might have been leaked?

Fareham and Worthing? Both there. Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested. The report is about the encryption and general security of the CSL CS2300 signalling units.

Ah, yes, sorry. The User-Agent is one of the factors they use, which is pretty stupid. I meant how come it was showing in search results?

Yes - IMO it still leaks data that it shouldn't. The problem was before it used to send the client all of the data in the background. You couldn't see it in the plain, but it was sent. There's only a few options here: 1. They haven't been pentested. You'd kind of think the biggest signalling provider in the UK would do it. 2. They have been pentested by someone incompetent. If they gave money to the people who developed apprentices4fs.com, this is plausible. 3. They have been pentested and ignored all of the findings. Who knows? FYI, on the 23rd November, the CSL Dualcom CS2300 report is being published.

Number 25, Bristol area?

On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible. http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/ If you would like to know if your company was one of the listed ones, I can check for you.

Can you screenshot it and blank out the IP? Interested to work out why that happened. Surely it's pretty libellous leaving a page up listing someone's IP and saying they are some elite hacker.

They appear to have hidden that and the banned page, probably because they are being ridiculed in several places.

To be honest, if you are using common forum software, and anything custom was developed with a framework, or by a develop with any skill, you won't have these issues. It's actually like they have gone out of their way to make it bad. Happy to have a quick look over your stuff in the future, will need to send over a rules of engagement to legally cover us both. Much better to go into a touch more depth with some active attacks.

I mean, just visit this and read the **** they spout: http://www.apprentices4fs.com/jobboard/cands/jobresults.asp?c=1&bms=1&localstrKeywords=%3Cscript%3E&localdivtypeOfJob=&localdivregion=

It's the worst site I have seen that handles any more personal than email/password/forum posts. I've seen worse content management systems, but no one elses data has been put at risk. This has been purely observation of normal behaviour on the site. If it was taken to active attacks, god knows what would be found.

They know about the blog post, that's it. I'm not into waiting when security is that bad - users need to be told

Yes, I won't pass comment on that. No, actually, I will. I think the exploitation of young people in the guise of providing training is terrible.

If any of you use http://www.apprentices4fs.com/, I would advise not using it until they fix the plethora of security issues on their site. http://cybergibbons.com/security-2/terrible-website-security-on-www-apprentices4fs-com/ This is amongst the worst website security I have seen from a company handling other's details.

Problem with that is that there is not traceability or accountability on a 4 digit code.

Yeah, he decided to start posting old addresses and employment related stuff....

I sent a load of documentary evidence to the police, my mum also registered a complaint. They kept it on file. Essentially it has to persist for longer than 8 weeks for them to persue it much further. It stopped, so I don't know if anything further got done.

Has someone stockpiled these? I can't remember the specific IC used, but it's not been made since 1996 or something.

I took it to the police, who said I needed to stop posting for them to persue it, so I did.

Yeah, I got all my Dualcoms off Matt, and a pile of other boards as well.

That is an incredibly bad joke.

Getting paid to annoy people by hacking their alarms now. Not the Hatton Garden job though.

This is the paper from Defcon - it shows how most systems have real issues with jamming: https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20presentations/Logan%20Lamb/DEFCON-22-Logan-Lamb-HOME-INSECURITY-NO-ALARMS-FALSE-ALARMS-AND-SIGINT-WP.pdf

I might have a bit of a think and wonder why every single panel I installed had the same engineer's code, and how I have no response plan if it got leaked.