Author Topic: Is Security a Joke Everywhere? Or Only When Peoples' Identities Are At Stake?  (Read 3821 times)

PoFP

  • Word-Salad Enthusiast and Terrified Meat Sack
  • Outlandish
  • ***
  • Posts: 919
    • View Profile
Dunno about security but fuck me did I just serve 6 months in what felt like a - how not to infrastructure - case study. The guys who bought us out are running a f'kin foxpro admin system that looks like an out of date warehousing/logistics solution, poorly modded for RIM functionality.

Okay so it's archaic and clunky as fuck but so are a lot of things in this field. Budget aint what it used to be and it can be hard to convince the board that we need something new when what we already have is doing the job, right?

Okay, fair enough but which fucking idiot thought it would be a good idea to serve it over MS RDP in some kind of twisted homage to the 90's thin client craze? So now these guys are wondering why there's smoke pissing out the back of their server every time they turn it on an five hundred users ask for sessions.

I'm guessing the same idiot decided it was a good idea to stick the database on the same box, cos fuck if I haven't got anything better to do than wait one minute and thirty seconds for a hundred-odd work orders to appear on my screen.

The icing on the cake was when tech support sent out an email about a planned server reboot TEN FUCKING MINUTES before they took it down! Surprise surprise, rebooting didn't fix their 90,000% load issue but it did stop us servicing any orders for the best part of twelve hours.

Bear in mind this company is the success story, their acquisition strategy is one per month and they're trying to increase this to two. Fuckers are so backlogged it took three months for them to even email me about data transfer. I can't complain, just picked up half a years salary for an hour and a half's work.

And they still managed to arsehole the transfer. Kinda guessed they would when, two days before I pulled the plug on my side, I was getting emails asking what all my fields did.

Security? At a guess there is none. AD group policy certainly wasn't the slightest bit concerned when our AV cover ended. The application they're using is essentially visual foxpro query builder, with a logo in the corner. That's right, end fucking users are writing SQL. Can't imagine anything going wrong there. Lets hope they've locked down Drop statements. I didn't have the heart to check.

1.) For the SQL access, I'd be more worried about how they're controlling authentication. Does the Foxpro system work kinda like other DB Visualizers like SQuirreL, where you set up JDBC+Authentication Alias and go from there? If so, is everyone given the same credentials? Or do they have their own account?

2.) I can't imagine why companies still insist on using Microsoft's implementation of RDP ANYWHERE, let alone use it as a replacement for Thin Client access to a non-Cloud-Hosted - Or at least not on something big enough to run WebSphere/Apache Nodes for multiple Server instances, - Server full of applications that should have their resources segregated. RDP comes out with a new Critical vulnerability every fucking month, much like the rest of Microsuck's Software Suite - And that's ignoring the fundamental vulnerabilities they tote as features. Server Applications (Especially Database instances) should run on Linux-based, Node-capable Servers ALWAYS. X Server connections over SSH are far more secure than anything RDP uses.

3.) While I do have some complaints about my company's infrastructure, one thing I can't complain about is warning time with regard to planned service outages. They tell us Months in advance when possible, and when they have to, they'll give 3 days notice if it's nearly an emergency.

Welcome to normal computer security.

What I didnít mention about that life insurance company is that they were one of the smarter ones Iíve heard of.

Yes, penetrating their network was as simple as logging into the unsecured root user. But their intranet wasnít connected to the internet, even indirectly, and so an attacker would need to get physical access to a machine. At a life insurance company, thatís hard to do, because thereís very little chance youíll be left to hang out in an office for long enough to do anything more than get caught red handed.

They did have an Internet-connected network, and that was all Windows machines ó cue the cold shudders ó but they were all employee owned machines, laptops, and I believe legally they canít put customer information on employee owned machines. So, all told, thatís actually a lot better than what the norm is.

Read through Troy Huntís blog sometime, the Security tag. Itís illuminating: gigantic companies throwing plaintext passwords around. Enumeration attacks possible without authentication. Ridiculously basic shit left wide open.

That's not as bad, but I'd still argue that having non-business-owned-and-secured machines access secured information at all in memory over the network - Even through VPN - Is inherently unsafe. Although it sounds like they didn't even do that. Regardless, that's far better than the Insurance company I supported for a few years. For how big they were, I'm very surprised I haven't seen any articles about huge exploits in the news.

I will certainly check that out - Thank you!
Listen carefully. I don't have much time, and I only have 462 characters left. I'm a scientist from Area 52 (Area 51 was used to draw attention from Area 52, where the aliens were ACTUALLY stored) who was working on neural interfacing with networked devices. In an experiment gone wrong, I accidentally uploaded my mind to the internet. In the 2 seconds I had before my mind scrambled itself with the world's network traffic, I was able to store this snippet in this random internet signature. If you're reading this, let the world know tha

PoFP

  • Word-Salad Enthusiast and Terrified Meat Sack
  • Outlandish
  • ***
  • Posts: 919
    • View Profile
Me: Hey Bob, when does [redacted] want their new POS Image? Isn't their Pilot coming up soon?

Bob (PM): They plan to go to Pilot with their current image. They will need the new one for testing of MariaDB, very soon, though.

Me: OH SHI- They're currently running a LAB image with no security constraints for ease of use. That image is WIDE OPEN to attack.

Bob: OH SHI- Let's get them on a call!

We get them on a call the next day, and I get put on the spot for a delivery date for the new image. I mostly had the image prepared from a month ago, minus the documentation and some minor optimizations for easy switching between RDBMSs, so I said I'd get it to them the next day. But it's still a bad idea to give a customer a 1 Day expected turnaround date, no matter how much you think you have to do. I regretted it the moment I said it.

Anyways, I had a lot more work cut out for me than I realized when I went back over the image, so I spent 18 of the next 24 hours finishing the damned thing. Got it delivered ontime the next day with a lot of the changes mentioned here.

Bob (After a half hour after delivery of the image with complete documentation written from scratch): We're having a Field Leadership Meeting with the customer on the 18th. Would you like to come with the Product Director, CTO, Sales Director, and I to show off the Product and your deployment system to the customer's highest ranking Field and Corporate Executives?



I am fucking ecstatic. I'm finally getting the internal influence and recognition I've been working 50 hour weeks for for the last year. I went from working at a call center doing Level 1-3 App Support to being hired on and then promoted to Senior Technical Consultant after only a year. And now I'll be involved in executive meetings with one of the largest, high-profile retailers in the US.
Listen carefully. I don't have much time, and I only have 462 characters left. I'm a scientist from Area 52 (Area 51 was used to draw attention from Area 52, where the aliens were ACTUALLY stored) who was working on neural interfacing with networked devices. In an experiment gone wrong, I accidentally uploaded my mind to the internet. In the 2 seconds I had before my mind scrambled itself with the world's network traffic, I was able to store this snippet in this random internet signature. If you're reading this, let the world know tha

altered

  • A Pile of Soggy Bird Carcasses
  • Deserved It
  • ****
  • Posts: 1225
  • I WILL EXILE VIOLATORS TO THE PISS-VOID
    • View Profile
Nicely done.
ďI am that worst of all type of criminal...I cannot bring myself to do what you tell me, because you told me

P3nT4gR4m

  • Official SSOOKN Pariah
  • Deserved It
  • ****
  • Posts: 15244
  • I'm an artist now - isn't that depressing?
    • View Profile
    • fuck you
Having a fucking clue what you're doing is practically a superpower in this field. Congrats on being that guy :mittens:
I'm up to my arse in Brexit Numpties, but I want more.  Target-rich environments are the new sexy.
Not actually a meat product.
Ass-Kicking & Foot-Stomping Ancient Master of SHIT FUCK FUCK FUCK
Awful and Bent Behemothic Results of Last Night's Painful Squat.
High Altitude Haggis-Filled Sex Bucket From Beyond Time and Space.
Internet Monkey Person of Filthy and Immoral Pygmy-Porn Wart Contagion
Octomom Auxillary Heat Exchanger Repairman
walking the fine line line between genius and batshit fucking crazy

"computation is a pattern in the spacetime arrangement of particles, and itís not the particles but the pattern that really matters! Matter doesnít matter." -- Max Tegmark

Doktor Howl

  • Hostile Technology Geek
  • One-Armed Jizz Moppers
  • Deserved It
  • **
  • Posts: 34292
  • Mundus vult decipi, ergo decipiatur
    • View Profile
Me: Hey Bob, when does [redacted] want their new POS Image? Isn't their Pilot coming up soon?

Bob (PM): They plan to go to Pilot with their current image. They will need the new one for testing of MariaDB, very soon, though.

Me: OH SHI- They're currently running a LAB image with no security constraints for ease of use. That image is WIDE OPEN to attack.

Bob: OH SHI- Let's get them on a call!

We get them on a call the next day, and I get put on the spot for a delivery date for the new image. I mostly had the image prepared from a month ago, minus the documentation and some minor optimizations for easy switching between RDBMSs, so I said I'd get it to them the next day. But it's still a bad idea to give a customer a 1 Day expected turnaround date, no matter how much you think you have to do. I regretted it the moment I said it.

Anyways, I had a lot more work cut out for me than I realized when I went back over the image, so I spent 18 of the next 24 hours finishing the damned thing. Got it delivered ontime the next day with a lot of the changes mentioned here.

Bob (After a half hour after delivery of the image with complete documentation written from scratch): We're having a Field Leadership Meeting with the customer on the 18th. Would you like to come with the Product Director, CTO, Sales Director, and I to show off the Product and your deployment system to the customer's highest ranking Field and Corporate Executives?



I am fucking ecstatic. I'm finally getting the internal influence and recognition I've been working 50 hour weeks for for the last year. I went from working at a call center doing Level 1-3 App Support to being hired on and then promoted to Senior Technical Consultant after only a year. And now I'll be involved in executive meetings with one of the largest, high-profile retailers in the US.

Advice:  You look more competent the less you say.  Have someone ELSE draw up practice questions about your project, then work on those.  They won't be the same questions you'll get, but they will get you in the right frame of mind.

(This is not industry-specific, but suits are suits.  The oldest will want to see the wizard, but won't really want to hear all that much.)
"Daisy had syphilis, Tom died of genital warts, and Nick Carroway watched it all in mounting horror, then made off with the silverware and the maid."
~ The Good Reverend

Ecclesiastes 2:14, JACKASS.