Tag Archives: Disney

Security News for the Week Ending May 20, 2022

Flaw in uClibc Allows DNS Poisoning Attacks

A flaw in all versions of the popular C standard libraries uClibc and uClibc-ng can allow for DNS poisoning attacks against target devices. The library is likely used in millions of Internet of Things devices that will never be patched and will always be vulnerable. This is where Software Bill of Materials is kind of handy. Credit: ThreatPost

Cyberattack on Hawaii Undersea Cable Thwarted

Homeland Security Thwarted an attempted hack of an under-ocean cable that connects Hawaii with other parts of the Pacific region. While Homeland is not releasing any details of the attempted attack, if the attack shut down traffic, that would be really bad for the region. Just one cable, for example, the Hawaiki Transpacific Cable, runs for 15,000 KM and has a capacity of 67 Terabits per second. Credit: Star Advisor

Will the Mickey Mouse Protection Law Go Up in Flames

Full disclosure: I have never been a fan of this law, so if it goes away, it won’t bother me. As some Republicans try to hurt Disney (trying to abolish the Reedy Creek special district, for example), Senator Hawley (R-Mo) introduced legislation to roll back the insane copyright “terms” that companies have used to make money off characters created a century ago. The downside of Hawley’s move is that it likely will anger a lot of people who make money off that 120 year copyright term and they might choose to make donations to the other team to get even. Given that Washington runs on “contributions” and those donors are likely going to explain that fact, I would say the odds of this passing are not great, but who knows. Credit: MSN

Feds Write Memo That Says They Pinky Promise Not to Charge Security Researchers Under CFAA

Sometimes I probably come across as cynical. That is because I am. While it is great that finally the DoJ wrote a memo that says that they are not going to charge security researchers for finding security holes, that memo only has just a little bit more weight of law than if I wrote that memo. There is nothing binding on the DoJ. Still, I guess, it is better than nothing. Credit: The Daily Swig

Sanctions Have Some Effect on Russia’s Tech Sector

Since Russia can no long buy AMD and Intel processors, they had to find an alternative. The solution seems to be a KaiXian KX6640MA. This is an Intel compatible chip, but it is a bit slow. One CPU Benchmark reported that a 4 core, 4 thread chip scored 1,566 points on the CPU benchmark. By comparison, an Intel Core i3, which is the slowest of the current Intel family, scored 14,427. Not exactly a match and for anything that is time critical, that is a problem. Guess how you would feel if someone replaced your computer with one that was 1/10th as fast. Credit: PC Magazine

Disney Playdom Hacked

While Disney probably thinks that their 350,000 or so users who got hacked is a big thing, in the grand scheme of things, it is not so big.

The Playdom site is the official forum for Starwars, Marvel and other Disney games.  It is kind of surprising that there were only 350,000 names hacked.

First, what did they get?  Well they got email addresses.  That’s not terribly exciting.  Usernames.  Well, maybe a little bit more concerning, but not very concerning.  Passwords.  Well, that is a bit concerning.  IP addresses.  Well first, they said they got IP addresses but then they said they don’t store IP addresses, so I am not clear on that one.

All in all, the only one that is a big concern is the passwords.

But first, at least one source is reporting that Disney was running this forum on vBulletin, version 4 – an old version which is considered not to be secure.

You would think a company as big as Disney would know how to update the software that their users depend on, but as we see again and again, size does NOT matter.  Big companies do NOT do it better.  In part this is because they have, likely, thousands of web sites.

Of course, for a hacker, this is a dream.  You just troll around big companies web sites and look for ones running an old version of the web software.  Then you look at the bugs that were fixed in the new version and you know have an attack road map.

So this is first a message to businesses to keep your server software up to date.

Why are the hacked passwords a concern?  It is a concern because people reuse passwords.  Hopefully, those 350,000 people are not using the same password for Disney as they do for online banking, but …..

So this is really an article to discuss password reuse.

The hacker now has 350,000 email addresses plus the passwords associated with them.  If you assume most people reuse passwords, then you can try these email/userid/password combinations on other sites to see what works.

They have not said how or if the passwords were encrypted.  The strength of the encryption will determine how hard it will hack the passwords.  If it is encrypted with unsalted MD5, they have the passwords already.  You get the idea.

From a user standpoint, password reuse means that when Disney’s site gets hacked, the hacker can empty your bank account.  THAT is likely a problem, at least for most people.

So please, do not reuse passwords.  At least not between what I call junk sites, like Disney, and important sites.  Important sites include any site that stores credit cards (like Amazon), financial information (like your bank) or health care information (like your insurance company or doctor).  These are only examples.  You need to decide what a junk site is and what an important site is.

If people would not reuse passwords, it would make hacking sites like Disney pretty useless.  If all you got was the password to Disney and nothing else, well, maybe you will find out who my favorite Star Wars character is. Just. Not. Worth. The. Effort.

But, people don’t do that, so hacking Disney is still pretty valuable.

By the way, Disney shut down the site after the breach.  Maybe – just maybe – that is a bit too late.

Information for this post came from Softpedia.