Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
RafaelSoaresP

SlickWraps data breach

Recommended Posts

1 hour ago, FakeCIA said:

If you want a skin for your phone, just go with dbrand. They're safe and you know you can trust em enough.

How do we know this? What do I know about dbrand data management practices or back-end security?

 

Up until today, we didn't have any worse or better information on these fronts about any of these companies (fair to say, I hadn't heard of slickwraps' existence at all, while I only know dbrand because they advertise in LTT :P), so there wasn't any company "we knew we could trust" more than any other when it comes to data protection.

Or was there any publicly available information on how these companies managed customer data before this news broke out?

Link to post
Share on other sites
12 minutes ago, RonnieOP said:

slickwraps had a bunch of bots go and downvote Nerd on a Budgets videos after he made a video talking about slickdeal bots trying to skew a poll he made about what skin company to use on twitter.

Sounds desperate

 

 

 

 

Link to post
Share on other sites
23 minutes ago, SpaceGhostC2C said:

How do we know this? What do I know about dbrand data management practices or back-end security?

 

Up until today, we didn't have any worse or better information on these fronts about any of these companies (fair to say, I hadn't heard of slickwraps' existence at all, while I only know dbrand because they advertise in LTT :P), so there wasn't any company "we knew we could trust" more than any other when it comes to data protection.

Or was there any publicly available information on how these companies managed customer data before this news broke out?

Tbh you shouldnt really trust any company for the long haul.

 

Its a cat and mouse game. Hackers are never going to stop evolving and neither are security engineers. A company thats safe today could be hacked tomorrow by an exploit that has never been seen before.

Link to post
Share on other sites

I dont trust smaller online companies with my data. I get things sent to a pickup location and pay using paypal account with a different front name. Most my data online is incorrect on purpose as I enjoy my privacy. 

Link to post
Share on other sites
2 minutes ago, GodSeph said:

I dont trust smaller online companies with my data. I get things sent to a pickup location and pay using paypal account with a different front name. Most my data online is incorrect on purpose as I enjoy my privacy. 

How do you get a paypal account and use a different front name.

Are you using a PO Box?

Link to post
Share on other sites
Just now, greenmax said:

How do you get a paypal account and use a different front name.

Are you using a PO Box?

Correct PO box and Paypal I have my name changed and a first name is pretty common so as long as the account still works the last name changes on cards but not on the website.

Link to post
Share on other sites
2 minutes ago, GodSeph said:

Correct PO box and Paypal I have my name changed and a first name is pretty common so as long as the account still works the last name changes on cards but not on the website.

Very interesting.

I was watching Youtube last night, on a conman Mr. Aloff and someone mentioned Deed Poll, which was very interesting. https://www.gov.uk/change-name-deed-poll

I know in Lebanon you can change your name easy too.

 

The anonymity part of my data being secure is interesting to me. I use an old telephone number when cashiers ask for a tele #, I dont use email receipts, and I should really start using cash instead of debit/credit cards. So Slickwraps is selling the info for money, that is very desperate.

Link to post
Share on other sites
Quote

The researcher 'disclosed' the hack to Slickwraps — and by 'disclosed,' I mean he said "Hey @SlickWraps, You failed the vibe check" in a public tweet, and then posted screenshots of customer support messages. I don't think that's how vulnerability disclosures work.

Excuse me

 

What

The

Literal
Fuck

Okay so, this "researcher" is extremely irresponsible, provocative, and down right shameful. Based on the medium post, tweet, and among other things, this first contact with Slickwraps was 2/16 with his, subjectively provocative tweet. To put this in perspective, the generally agreed upon wait period for disclosing a vulnerability is 90 DAYS, this guy could barely wait 7 before spilling all the details. This is what is known as Responsible Disclosure and is standard with companies as a such HackerOne and Google Project Zero among others.

During the period between Feb 16 and now, he irresponsibly, and repeatedly, leaked private information to the general public. It should be common sense that a lot of companies use 3rd parties to manage their social media. Leaking that information would not have brought the attention of a sysadmin, unlike things such as breaking APIs, renaming or locking accounts, among other things that do not cause financial, privacy, and integrity loss.

As someone even mildly into the netsec, infosec, and "hacking" community, this "researcher" gives all of us a bad name. This is not how we act. This behavior pushes companies into considering and often times bringing suit against well meaning individuals under the CFAA act. These are felonies and can ruin the life of someone wanting to learn about these processes, protect their own (and others) data, and improve security across the web. I am truly ashamed.

Edited by rcmaehl
RANT INSERTED

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites

The vulnerabilities involved are pretty severe, it's very bad that they were there, and Slickwraps' response looks very poor, but that is not how responsible disclosure works.

 

You don't see how far you can get and how many accounts you can compromise - you stop at finding a remote code execution vulnerability and report it to them.

You don't report an issue by tweeting them with "vibe check", then post a nondescript screenshot of a support ticket with absolutely no mention of the fact that, for example, it isn't your ticket - you make it clear that you've found a critical vulnerability so that it can be triaged appropriately.

You don't report security vulnerabilities through Twitter - you try and find the email of a relevant employee, and if that fails you can try security@, webmaster@, admin@, cto_first_name@, or at the very least tweeting them directly asking them to DM or email you.


HTTP/2 203

Link to post
Share on other sites
17 minutes ago, colonel_mortis said:

The vulnerabilities involved are pretty severe, it's very bad that they were there, and Slickwraps' response looks very poor, but that is not how responsible disclosure works.

 

You don't see how far you can get and how many accounts you can compromise - you stop at finding a remote code execution vulnerability and report it to them.

You don't report an issue by tweeting them with "vibe check", then post a nondescript screenshot of a support ticket with absolutely no mention of the fact that, for example, it isn't your ticket - you make it clear that you've found a critical vulnerability so that it can be triaged appropriately.

You don't report security vulnerabilities through Twitter - you try and find the email of a relevant employee, and if that fails you can try security@, webmaster@, admin@, cto_first_name@, or at the very least tweeting them directly asking them to DM or email you.

He did try to tweet them directly, according to what I read in the medium post, and asked to be contacted but they had blocked him. On the other hand I fully agree he should have tried more directly ways of contacting them but, if the medium post is/was to be believed they didn't care. Slickwraps eventually did DM him and subsequently blocked him again within 5 minutes again. The irresponsible disclosure though is shameful on the part of the discovering party though 100% agree there. Both parties are in the wrong here and both deserve whatever punishment they get in the end imo, I just wish no customer information got leaked because of the reckless disclosure or lack of willingness to discuss anything either.

 

 

Edit:

Double checked the medium post and he DID email their customer support directly and was ignored.


Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to post
Share on other sites
1 hour ago, GodSeph said:

Correct PO box and Paypal I have my name changed and a first name is pretty common so as long as the account still works the last name changes on cards but not on the website.

But even then PO Box info is not secure.

 

A company can fill out some paperwork and get the info of the owner of the po box.

 

Now im not saying they will do that as its more work. But it is doable.

Link to post
Share on other sites
1 minute ago, RonnieOP said:

But even then PO Box info is not secure.

 

A company can fill out some paperwork and get the info of the owner of the po box.

 

Now im not saying they will do that as its more work. But it is doable.

its not 100% no the only way for that is to not give information online. But for the most part this is a great way to block the obvious Put in address and name into random website and use same password as email account lol.

Link to post
Share on other sites
10 minutes ago, GodSeph said:

its not 100% no the only way for that is to not give information online. But for the most part this is a great way to block the obvious Put in address and name into random website and use same password as email account lol.

I agree 100%.

 

Putting in more security is never a bad idea.

 

Anytime you introduce hurdles you reduce the number of threats.

 

Link to post
Share on other sites
1 minute ago, RonnieOP said:

I agree 100%.

 

Putting in more security is never a bad idea.

 

Anytime you introduce hurdles you reduce the number of threats.

 

What most non tech people dont understand is any amount of hurdles for people trying to steal data usually stops them as they mostly want the easy money. If they are good enough to get past all the hurdles and work around things they usually hitting much bigger fish then Joe Blow from New York lol. 

Link to post
Share on other sites

I'm gone for 2 hours and this blows up. If you want a good security tip, here is what I do. I have multiple email accounts with Google, Microsoft, and others. The email I use to run my banking account is not even close to the same one that I use to run this forum account. In terms of employment, Adult Swim has a completely different account than the FBI. Never use an account that is connected to financial details or personal details on a public site. Always use 2 factor authentication and have security alerts enabled. One of my classmates for the FBI internship has 10 email accounts. I'm not saying to be paranoid like them, but have something you can quickly ditch in case of a breach. Make dummy accounts for social media and sites you believe to be risky that you can quickly terminate.


 

 

 

 

Link to post
Share on other sites
Just now, FakeCIA said:

Always use 2 factor authentication

To add on, SMS 2FA is not a secure 2FA method.


PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
1 hour ago, rcmaehl said:

To add on, SMS 2FA is not a secure 2FA method.

Yes. Use an app like Microsoft Authentication where your device itself is the key. There are also other ways, but having something where an individual device is the password itself is best. I have a backup phone in case mine fails or is stolen. There are also physical security keys that are available in USB-C, USB 3.0, and Micro USB. Those work too, but can be lost easily if they are on a keychain. I find that the best ones come from Microsoft and Google. You can also turn a standard thumb drive into a security key with an option in Windows 10 Pro.


 

 

 

 

Link to post
Share on other sites

-= Topic Moved to General Discussion =-

Topic does not meet requirements of a Tech News topic.


Tech News Posting Guidelines - READ BEFORE POSTING | Community Standards | Forum Staff

LTT Folding Users Tips, Tricks and FAQ | F@H Contribution | My Rig | Project Steamroller

 

Spoiler

 †  

 

Character is like a Tree and Reputation like its Shadow. The Shadow is what we think of it; The Tree is the Real thing.  ~ Abraham Lincoln

You have enemies? Good. That means you've stood up for something, sometime in your life.  ~ Winston Churchill

Docendo discimus - "the best way to learn is to teach" ~ Benjamin Jantz

 

I am a StarCitizen are you? My ships: Aegis Eclipse, Aegis Sabre, Aegis Gladius, Aopoa Nox, KI P52 Merlin, KI P72 Archimedes and the RSI Constellation Aquila.

 

My Phones are a Nokia Lumia 925 with WM10 and a Microsoft Lumia 950 XL with WM10 running the Fast Ring insider updates. Broke :(

Samsung Note 9 and a Samsung S9+

 

About Myself:   https://linustechtips.com/main/profile/229093-sansvarnic/?tab=field_core_pfield_46

 

 CHRISTIAN MEMBER 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×