• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Your worst security blunder

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2, 3, 4, 5  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Fri Feb 07, 2003 12:42 am    Post subject: Your worst security blunder Reply with quote

Embarassment time

Please post your worst security blunders here, either first hand or that of a friend / colleague

Smile
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Fri Feb 07, 2003 12:54 am    Post subject: Reply with quote

Leaving a linux server unfirewalled on the net with wu-ftp enabled.

only took 3 weeks b4 it was 0\/\/n3d

Embarassed Embarassed Embarassed Embarassed Embarassed Embarassed Embarassed Embarassed Embarassed

4 years ago tho! Smile
Back to top
View user's profile Send private message Send e-mail
Networkguy
Trusted SF Member
Trusted SF Member


Joined: 29 Apr 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Fri Feb 07, 2003 1:47 am    Post subject: Reply with quote

Not me but very funny

The night shift in a certain data center were getting bored one night. Of course they could not access any of the hard core porn on the net due to the corporate firewall rules.

But hang on, somebody realises that the data center is also a core node on our Internet backbone with several 9.6-GB feeds to it Very Happy

So they head off down to a pair of very large and very expensive Juniper routers and patch into a spare gigabit ethernet port (this is a core internet transit router).

Next they build themselves a nice little proxy server and plug that in and from there route it back onto the corporate LAN.

You may have noticed that I didn't mention a firewall. Thats right. they didn't bother.

So for a few nights, they have the time of their lives surfing the darker side of the net and even help themselves to some spare space on a customers EMC storage array.

In 4 nights, they managed to use up half a terrabyte of storage with pictures, videos and mp3s Very Happy

But then somebody notices during a routine security check that there is an unsecure web connection on the corporate LAN so the investigation starts.

So here we have guys who have the intelligence to configure a Juniper transit router, build themselves a proxy, configure this onto the corporate LAN and even reallocate an EMC storage array.

BUT

What they didn't do (and this is what got them sacked).

SWITCH OFF THE LOGGING ON THE PROXY Surprised

Just how much evidence did they think HR would need to sack them?
Back to top
View user's profile Send private message
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Fri Feb 07, 2003 2:38 am    Post subject: Reply with quote

saxo shouldn't you have started this with a example of your own. Just to show we all f*ckup sometimes. Here's two for me:

1. I forgot to shutoff sshd when under a active bot attack that looked for a open issue with ssh1 when we were using ssh2. I got it the next day. Oops Embarassed

2. I also excepted a job from a jack of all trades and master of none when it came to IT and security. Confused
Back to top
View user's profile Send private message Visit poster's website
squidly
Trusted SF Member
Trusted SF Member


Joined: 07 Oct 2002
Posts: 16777215
Location: Umm.. I dont know.. somewhere

Offline

PostPosted: Fri Feb 07, 2003 4:12 am    Post subject: Reply with quote

Ive not had anything as bad as that happen.. Just a friends was routing though my pc and he was dling some stuff from Kazaa. Well some script kiddie tracked it back to my ip and tired to attack me. At the time I had no firewall up, and no realy integerity checking. My schools firewall caught most of it.

On the other side of the fence I was playing around with arp-spoof and I killed one of the local cisco routers. Knocked apx 400 people off the net for a couple of hours. Embarassed Thanks goodness they didnt look at the logs and see where the fake arps were comeing from Smile
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
myhatisred
Just Arrived
Just Arrived


Joined: 11 Jan 2003
Posts: 0


Offline

PostPosted: Fri Feb 07, 2003 4:31 am    Post subject: Reply with quote

leaving port 23 open on my firewall when I closed everything else and had a nice linux box running until someone decided to take control of it. it's alright, that was 2 years ago, i've grown up since then.
Back to top
View user's profile Send private message Visit poster's website AIM Address
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Fri Feb 07, 2003 7:57 am    Post subject: Reply with quote

FTP site on my win2k - local user account - upload AND admin rights - script kiddie - rooted -

fortunately I noticed the machine was rebooted in the AM, tracked down all the goodies for posterity and study sake - wiped 'er clean and re-installed.
Back to top
View user's profile Send private message
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Fri Feb 07, 2003 9:48 am    Post subject: Reply with quote

Ugh.. I wasn't thinking and I didn't think to sanatize the HTTP_REFERER variable when tracking how people were getting to my page... a friend of mine injected a bunch of javascript into my tables and flooded me with popups when I went to view the logs.. Although since then I've found that HTML & scripting injections can be fun Smile

A worse one though.. not my domain, & was never responsible for it.. but one night I was poking around her server.. just reading and browsing.. went to her hosts support page and saw something about a webcontrol panel that you access via the cgi bin.. so of course I took a peek.. but not only did I take a peek, I 0wned that domain in under 10 seconds.. damn scary.. since there wasn't an account configured, it took whatever u/p I put in there and made me the administrator.. Now for the lucky part... she says that was supposed to have been taken down about 2 years ago and she had been told it was... during that 2 years, that domain was (at first anyway) despised by almost everybody in alt.hackers.malicious - a couple of them SWORE they were going to r00t it.. two years they tried every brute force, apache exploit, cgi exploit.... but they never bothered to stop and read the 'site owners manual' on the hosting companys support page... 2 years they tried and didn't see the open door right in front of them LOL
Back to top
View user's profile Send private message Send e-mail
Mike
Just Arrived
Just Arrived


Joined: 05 Jan 2003
Posts: 0


Offline

PostPosted: Tue Feb 11, 2003 7:41 pm    Post subject: Reply with quote

on my freebsd server
i putted a copy of master.passwd in it
some users noticed it and decrypted the passwd so they could login without a notice Razz

but now i still see stupid wheel users what do that Wink
Back to top
View user's profile Send private message Send e-mail MSN Messenger
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Tue Feb 11, 2003 8:20 pm    Post subject: Reply with quote

Ive been caught out by classic social engineering

A few years back on irc, when there was the usual tonne of flaming and abuse, I accepted a file from what I thought was a trusted source. Checked the ISP(which at the time had dynamic IPs) and the ident / nickname / realname matched up so I accepted the file. I ran it, mcafee said it was fine.

Since it was from a trusted source (or so I thought) I didnt suspect anything. It opened a funny image, and a dos window spawned quickly at which point I knew something was wrong but not quite what. After analysis later turns out it was sub7 binded to a picture and editted slightly to bypass most signatures at the time Sad

Noticed a stack of connection attempts after which were denied by the software firewall I was using at the time, conseal, so pulled the plug and reformatted


Last edited by chris on Tue Dec 09, 2003 11:27 pm; edited 1 time in total
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Tue Feb 11, 2003 11:16 pm    Post subject: Reply with quote

only last week i made a cunning bat file with delprof to delete all the bazillions of local profiles created on our win2k boxes. I was just using net view to get a list of computer names.

it was a honest mistake i didnt think about ppl's laptops. luckily i only wiped out one person's profile who had their laptop on the network but not logged in. that was certainly a close one.


about 9 months ago. something went wrong in the switch cabinet (8 stacked switches) i was trying to fix it by myself in the evening. there was a night class on. unfortunately i didnt do a very good job. and i think i inadvertently unplugged some switches from each other. in the morning no-one could remember how they were supposed to plug together. we had to get someone from the firm that put them in to come and sort us out. it was a hideous mess b4 i made it worse. so they just unplugged everything and put them all back in again in a better order and made us a diagram. Smile
Back to top
View user's profile Send private message
WHISP3R
Just Arrived
Just Arrived


Joined: 12 Jan 2003
Posts: 0


Offline

PostPosted: Tue Feb 11, 2003 11:24 pm    Post subject: Irc Screwup Reply with quote

Opening a telnet connection with my IRC channel eggdrop and finding out that through /msg IDENT password the bot had set my hostmask to *bob*@*.undernet.org And I was on the Auto Op list, Allowing anyone with bob as a username logged into X to be Auto-oped
Embarassed Embarassed Embarassed
Moral: ALWAYS Always Add your eggdrop hostnames manually. Or ident and then change them.
Back to top
View user's profile Send private message
ComSec
Trusted SF Member
Trusted SF Member


Joined: 26 Jul 2002
Posts: 16777215


Offline

PostPosted: Wed Feb 12, 2003 2:24 am    Post subject: Reply with quote

dont laugh ,an EX AOL member through work.......till i got booted and lost me job Very Happy Very Happy........even had a spam collection box called e-mail LOL

"thank you aol"
Back to top
View user's profile Send private message Visit poster's website
tutaepaki
Trusted SF Member
Trusted SF Member


Joined: 02 May 2002
Posts: 3
Location: New Zealand

Offline

PostPosted: Wed Feb 12, 2003 3:23 am    Post subject: Reply with quote

I was asked by a collegue to scan his ADSL connection to see how secure he was. Turned he wasn't at all, the ADSL modem was wide open, and it took all of 5secs to google to turn up his config password.

The trick was when I showed him how easy it was, and left his work PC connected to the config screen of his ADSL modem, with auto-refresh enabled. In a classic case of timing, he'd just upgraded to a 10MB connection with a very low data cap.

He still blames me for the $600 bill he got from his ISP Laughing
Back to top
View user's profile Send private message
Zilker
Just Arrived
Just Arrived


Joined: 02 Apr 2003
Posts: 0


Offline

PostPosted: Sat Apr 12, 2003 9:53 pm    Post subject: NT blunder Reply with quote

So I'm sr. sysadmin on a NT 4.0 network of about 8,000 users. I get a call from the helpdesk that "no one" can login. Hmmm. That's strange? I check and I can login, seems everyone around me (sysadmin team) can login. What could the problem be?

Everyone who has admin privledge can login, but no one else can? What could it be.

Then the "HOLY CRAP!!!!" moment hits. What would allow me, an administrator, to login but not anyone else? "Access this computer from the network"

Well, it seems one of the other administrators (read client) had decided to build themself a test domain controller. He wanted to secure the system so what does he do? He removed everyone except "Administrators" from the "Access this computer from the network" on his "test DC".

Of course, any policy change on a Backup DC is actually performed on the PDC and propogated. So in effect, by trying to secure his system, he had blocked everyone from accessing the NT domain.
Back to top
View user's profile Send private message
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Sun Apr 13, 2003 3:02 am    Post subject: Reply with quote

?? he put an unauthorized DC onto an existing network for "testing" purposes?? without realizing the impact or notifying anybody?? holy smokes... did you take him out back at the end of the day and beat the crap outta him at least?
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register