Waraxe IT Security Portal

icenix · Advanced user

Embarassment time Very Happy

Feel Free to post your worst security blunders here, either first hand or that of a friend / colleague
Come on..Dont Be Shy Embarassed

icenix · Advanced user

Not anyone im even closely in contact to Razz

but check this out...

The night shift in a certain data center were getting bored one night. Of course they could not access any of the hard core porn on the net due to the corporate firewall rules.

But hang on, somebody realises that the data center is also a core node on our Internet backbone with several 9.6-GB feeds to it

So they head off down to a pair of very large and very expensive Juniper routers and patch into a spare gigabit ethernet port (this is a core internet transit router).

Next they build themselves a nice little proxy server and plug that in and from there route it back onto the corporate LAN.

You may have noticed that I didn't mention a firewall. Thats right. they didn't bother.

So for a few nights, they have the time of their lives surfing the darker side of the net and even help themselves to some spare space on a customers EMC storage array.

In 4 nights, they managed to use up half a terrabyte of storage with pictures, videos and mp3s

But then somebody notices during a routine security check that there is an unsecure web connection on the corporate LAN so the investigation starts.

So here we have guys who have the intelligence to configure a Juniper transit router, build themselves a proxy, configure this onto the corporate LAN and even reallocate an EMC storage array.

BUT

What they didn't do (and this is what got them sacked).

SWITCH OFF THE LOGGING ON THE PROXY

Just how much evidence did they think HR would need to sack them?

DragonHighLord · Regular user

oh, i've got a doozy.
i feel realy stupid cause I actually did this, so, please don't laugh at me (at least not when i'm aroung lol).

about 8 months ago I bought this computer from a friend of mine, nice system (paid $600) AMD k7, Nvidia chip, Hercules Soundcard, Water cooled processor (had never seem one of those before). so I'm crusin along, checking out everything it can do (or that I can do with it) and i'm in BIOS, just checking it out, changing things around, and I figured well, as long as I don't save the changes when I exit everything cool. well that was my mistake, I acciently hit esit, and double tapped the enter key. Yup, Saved the changes and exited BIOS. I'm not sure if you understand how bad that sucked. Living In Montat with NO computer Services, no PC repairs, Not one to fix my little problem. took me a week to fix it by myself, literaly taking my comp[uter apart, checking manufactuer labels on the hardware, and damn near re-building the thing. But she runs fine now (months later) and the funny thing is, I actually learned a lot more about My PC, and PC's in general from my BIOS Nightmare.........
Still All in All, if you don't know much or PC's, i HIGHLY recomend not messing around with you systems BIOS........
P.S. I passworded my BIOS with a 15 charater password, I screwed it up big time, I don't want that to happen EVER again, especialy by someone else........................

DragonHighLord---------------------------- Cool

shai-tan · Valuable expert

Yeah my mate entered 127.0.0.1 into his own DoS exploit once trying to hack me at a LAN........ He never lived it down

lenny · Valuable expert

I built myself a secure Debian server. I had done everything by the book, and I had almost finished. The aim (apart from practice) was to set up a secure internet-facing DMZ webserver. Being a student means no high-spec hardware/data-centers to play with and a simple 8mbps ADSL connection. Simple, but useful for my needs.
I had fully configured the OS and installed necessary patches etc, and all that remained was software. I installed all the various pieces of software and all related security patches etc and all was fine... until I started dealing with the FTP server. I needed to allow directory writing for the user that I would be hosting my files from. I had already copied most of my pages and scripts over to the /www directory, but the user didn't "own" any of the files, so i "chmod"ed them.

Ok, here is the blunder.
I used the command "Chmod 777 ./*"
Except I didnt. I forgot one very important character.
The actual command i used went along these lines: "Chmod /* 777"
Notice the differance? Yes, thats right. A single ".". So instead of allowing permission to just my web directory, I chmodded THE ENTIRE SERVER to 777 permissions! I could have died it was that stupid!

gibbocool · Advanced user

hahaha how long did it take you to notice?

lenny · Valuable expert

I realised the second i pressed enter. Unfortunatley, Linux/UNIX is not designed for idiots and dont have the helpful (and annoying) windows-style "Are you sure?" prompts!

gibbocool · Advanced user

lol well that's nothing a quick ctrl+c wouldn't stop.

I have a security story..
A security course lecturer at my university said that he did a survey of my city to find the ratio of secure and unsecure wireless networks.

Outer suburbs he found:
40% of people had no wireless encryption
30% used WEP
30% use WPA (0% using 801.1)

Inner suburbs:
30% of people had no wireless encryption
40% used WEP
30% use WPA (0% using 801.1)

CBD:
30% had no wireless encryption
30% used WEP
40% use WPA (1% using 801.1)

Considering that it is possible to crack WEP in 60 seconds (including time to capture packets) it is ridiculous that so many businesses are insecure.

He then went on to say that he was hired by a large business to test the security of their wireless networks. He did this by sitting in his car with his laptop and driving around the business testing the wireless. While he found a few security problems with the wireless networks, he was most surprised to find that NOT ONE employee stopped to ask what a man sitting in a car with a laptop all day was doing.