Worst security flaws
-
we had this ftp in our company that one day appeared full of porn apparently anonymous access to the ftp was enabled
But it saves having to go out and search for it yourself. :-O In a related note, at another place I worked, every once in a while we went out to the network drives and searched for unauthorized files: music, films, etc. Sent the owners of the network directories nastygrams...and scarfed the content for ourselves.
-
But it saves having to go out and search for it yourself. :-O In a related note, at another place I worked, every once in a while we went out to the network drives and searched for unauthorized files: music, films, etc. Sent the owners of the network directories nastygrams...and scarfed the content for ourselves.
Sometimes it is fun to just setup a machine, stick it out in the DMZ and see what happens to it. Grab a pizza, sit back and what the logs... It is amazing how quick stuff gets found. I was staging a machine once, got called to dinner and by the time I cam back it was full of stuff. Kind of funny really.
-
Sometimes it is fun to just setup a machine, stick it out in the DMZ and see what happens to it. Grab a pizza, sit back and what the logs... It is amazing how quick stuff gets found. I was staging a machine once, got called to dinner and by the time I cam back it was full of stuff. Kind of funny really.
At a firm where I worked, a consultancy was contracted to prepare a new, interactive web site to allow people to make bookings on-line (this was when broadband first started being rolled out). There were two problems with the new web-server: The web-site itself (written using IIS/ASP (VB)) was unreliable and would crash intermittently, requiring a reboot of the server to wake it. The firm who wrote it were unable to find/fix the problem. The ftp wasn't secured: one day, after the customary reboot to restart the web service, the machine started whinging about disk space etc. When I investigated I found some very cleverly hidden directories, hundreds of levels down a directory structure attached to the \Windows tree, containing hundreds of illicit copies of Playstation games which it was serving to the 'pirate' community... Needless to say, we took the management of that server in-house from that point, and then also rewrote the entire site in PHP, hosted it on a small linux machine and had no further problems... 8)
-
Just last week a security flaw was discovered in the company I am working for as a contractor. The IT Security audit department found that directory browsing was enabled in one of the website of the QA environment which was open across the internet. What later was discovered that search engine crawlers had indexed all the documents that were in there and now anybody could find that information in google if they happened to search those keywords. Has anyone come across things like this?
I just found my favorite. We paid a third party for a site redesign. They have talented project managers and artists, but crap developers. They added a link on every page that invites the world to "email this page to a friend." The .net app had input fields for from name, from email, to email, subject line(!) and "special message". The email body was "I thought you might be interested in this..." followed by the same full paragraph of legal crap we are required to use in our corporate sig. The mail was routed through our main exchange server. To demonstrate the danger, I spoofed an email as the CEO that looked completely legitimate.
-
Sometimes it is fun to just setup a machine, stick it out in the DMZ and see what happens to it. Grab a pizza, sit back and what the logs... It is amazing how quick stuff gets found. I was staging a machine once, got called to dinner and by the time I cam back it was full of stuff. Kind of funny really.
My personal favorite was a lab machine we were (re)installing XP on, and we forgot to disconnect the network cable. The machine was infected with several viruses before the XP install completed...
Software Zen:
delete this; -
Just last week a security flaw was discovered in the company I am working for as a contractor. The IT Security audit department found that directory browsing was enabled in one of the website of the QA environment which was open across the internet. What later was discovered that search engine crawlers had indexed all the documents that were in there and now anybody could find that information in google if they happened to search those keywords. Has anyone come across things like this?
I knew of an IT services company that had an incident once where they found one of their employees had been saving viruses on their personal network share! A "virus hobbyist", if you will, who had somehow figured that this was not only a good idea, but that it should also be done on the corporate network. Brilliant.
-
Just last week a security flaw was discovered in the company I am working for as a contractor. The IT Security audit department found that directory browsing was enabled in one of the website of the QA environment which was open across the internet. What later was discovered that search engine crawlers had indexed all the documents that were in there and now anybody could find that information in google if they happened to search those keywords. Has anyone come across things like this?
I know this is kind of off-topic but the worst security flaw I've ever seen/read about was at news. (5 o'clock, the morbid news here) A 19 years old boy was home alone and he was... watching porn and doing other unchristian stuff. After 4 hours of "working out" he closed the browser and put his torrents on seed and then went to sleep. Well half an hour later his mother (who was very religious) came home and she had to check a few emails. When she opened the browser some web pages were restored, 4 of which were porn videos. (like one wasn't enough >.>) And the consequences: The mother castrated her child while he was asleep (with a salad knife, ironically) and popped out his eyes out of his head. (with the same knife) Well, the mother ended up in a hospital (for severe mental illness) (St. Paraschiva Hospital :laugh: ) and her (dead) son was buried... Her 4 other children (:^)) were given to their grandparents. Cause: Her son forgot to enable Private Browsing or open a Private Tab or use a similar feature of his browser. Consequence: Castration, eyeball popping and, eventually, death. Nobody died because of your security flaws. That boy did! _______________________ Anyway, I use my netbook computer for "Shared Storage" - as I call it in the network. It's a folder in my laptop that I am sharing over the home network for code storage. When I went to sleep, I forgot to shut down my netbook. The problem is, I also had Remote Desktop enabled for all connections and I was connected to the internet! Well, while I was asleep, someone broke into my netbook and copied all my codes for himself and now he's making lots of money out of it - while I am making free, little programs for both personal and public use. I can name that person but I won't, because it's not nice. I'll remain with the knowledge out of this... (Which is more important than money, in my humble opinion.) The flaw(s) is(are) Microsoft's f***ing fault - When someone attempts to remotely connect to your computer, you are given a 20-seconds warning to log out or you will be automatically logged out OR that I forgot to shut down my computer. That person or someone else would have eventually broke into my netbook but whatever. Because of Microsoft and/or my remembering skills someone else makes now profit (Which I could use a lot these days!). X|
I <3 C#!
-
Just last week a security flaw was discovered in the company I am working for as a contractor. The IT Security audit department found that directory browsing was enabled in one of the website of the QA environment which was open across the internet. What later was discovered that search engine crawlers had indexed all the documents that were in there and now anybody could find that information in google if they happened to search those keywords. Has anyone come across things like this?
Gather 'round kiddies, while I spin a tale of olde tyme computing, back when mainframes roamed the planet and fed on punched cards. I was a wee sprout teaching myself how to program on a timesharing PDP-8 in high school. The crowd I ran with usually had all the passwords, either through visiting the computer center, stopping the processor and using a disk diagnostic tool to pull the master password off the hard disk, or bugging the automatic logout program. But mostly through what is now called social engineering..."Hello, Fred? I know you don't use the computer (terminal) at your school, but could you get me the password to your school's account? Yeah, it's usually written on the blackboard by the terminal." Unfortunately the teachers and system manager thought we had some machine language program that would coerce the passwords out of the system by forcing it to fail and as a last gasp would spit out the passwords as sort of a "help me!" before crashing. Stop laughing, these bozos were serious. So we had the name and so we set out to earn it. After about a month of trying to crack the security, we gave up. The timesharing environment was a rubber playpen that would not let us have access to the goodies. And then I cracked it...by accident. Really. In what seems to be the pattern of my programming life, I have this innate and uncontrollable talent for finding bugs. Most of my career it has been a pain "Why is it only you that has trouble with the software?", but at my current job, it is a boon. Back at the plot. I had gotten hold of the system programmer's guide for the OS and had gotten tired of flipping pages to interrelate system tables. Until I was seduced by the dark side of programming, I was studying to be an architect and had access to large sheets of paper and a drafting board. So I made this master layout of all the system tables and how they interconnected. When I was done, I could see how I could go from public information and drill down to the input/output buffers. The system guide said you did not have buffers until you were logged in. I should have known it was BS because we used to hide what we were typing from the noobs by typing a long string of commands on the same line as the login. Since the keystrokes were not echoed until you were logged in, only someone good at reading keystrokes could see what we were doing. But it got me to thinking I could watch what was being done at the other school's terminals. So I hacked out a quick little program called "Sn
-
Just last week a security flaw was discovered in the company I am working for as a contractor. The IT Security audit department found that directory browsing was enabled in one of the website of the QA environment which was open across the internet. What later was discovered that search engine crawlers had indexed all the documents that were in there and now anybody could find that information in google if they happened to search those keywords. Has anyone come across things like this?
-
Just last week a security flaw was discovered in the company I am working for as a contractor. The IT Security audit department found that directory browsing was enabled in one of the website of the QA environment which was open across the internet. What later was discovered that search engine crawlers had indexed all the documents that were in there and now anybody could find that information in google if they happened to search those keywords. Has anyone come across things like this?
-
Just last week a security flaw was discovered in the company I am working for as a contractor. The IT Security audit department found that directory browsing was enabled in one of the website of the QA environment which was open across the internet. What later was discovered that search engine crawlers had indexed all the documents that were in there and now anybody could find that information in google if they happened to search those keywords. Has anyone come across things like this?
-
-
we had this ftp in our company that one day appeared full of porn apparently anonymous access to the ftp was enabled
Camilo Sanchez wrote:
we had this ftp in our company that one day appeared full of porn apparently anonymous access to the ftp was enabled
Anonymous access to the ftp was enabled? There's an excuse I need to remember. -Richard
Hit any user to continue.