News:

Testimonial: "PD is the home of Pure Evil and All That Is Wrong With the Interwebz." - Queen of the Ryche, apparently in all seriousness

Main Menu

Is Security a Joke Everywhere? Or Only When Peoples' Identities Are At Stake?

Started by POFP, July 21, 2019, 05:16:27 PM

Previous topic - Next topic

POFP

Quote from: P3nT4gR4m on July 24, 2019, 04:55:52 PM
Dunno about security but fuck me did I just serve 6 months in what felt like a - how not to infrastructure - case study. The guys who bought us out are running a f'kin foxpro admin system that looks like an out of date warehousing/logistics solution, poorly modded for RIM functionality.

Okay so it's archaic and clunky as fuck but so are a lot of things in this field. Budget aint what it used to be and it can be hard to convince the board that we need something new when what we already have is doing the job, right?

Okay, fair enough but which fucking idiot thought it would be a good idea to serve it over MS RDP in some kind of twisted homage to the 90's thin client craze? So now these guys are wondering why there's smoke pissing out the back of their server every time they turn it on an five hundred users ask for sessions.

I'm guessing the same idiot decided it was a good idea to stick the database on the same box, cos fuck if I haven't got anything better to do than wait one minute and thirty seconds for a hundred-odd work orders to appear on my screen.

The icing on the cake was when tech support sent out an email about a planned server reboot TEN FUCKING MINUTES before they took it down! Surprise surprise, rebooting didn't fix their 90,000% load issue but it did stop us servicing any orders for the best part of twelve hours.

Bear in mind this company is the success story, their acquisition strategy is one per month and they're trying to increase this to two. Fuckers are so backlogged it took three months for them to even email me about data transfer. I can't complain, just picked up half a years salary for an hour and a half's work.

And they still managed to arsehole the transfer. Kinda guessed they would when, two days before I pulled the plug on my side, I was getting emails asking what all my fields did.

Security? At a guess there is none. AD group policy certainly wasn't the slightest bit concerned when our AV cover ended. The application they're using is essentially visual foxpro query builder, with a logo in the corner. That's right, end fucking users are writing SQL. Can't imagine anything going wrong there. Lets hope they've locked down Drop statements. I didn't have the heart to check.

1.) For the SQL access, I'd be more worried about how they're controlling authentication. Does the Foxpro system work kinda like other DB Visualizers like SQuirreL, where you set up JDBC+Authentication Alias and go from there? If so, is everyone given the same credentials? Or do they have their own account?

2.) I can't imagine why companies still insist on using Microsoft's implementation of RDP ANYWHERE, let alone use it as a replacement for Thin Client access to a non-Cloud-Hosted - Or at least not on something big enough to run WebSphere/Apache Nodes for multiple Server instances, - Server full of applications that should have their resources segregated. RDP comes out with a new Critical vulnerability every fucking month, much like the rest of Microsuck's Software Suite - And that's ignoring the fundamental vulnerabilities they tote as features. Server Applications (Especially Database instances) should run on Linux-based, Node-capable Servers ALWAYS. X Server connections over SSH are far more secure than anything RDP uses.

3.) While I do have some complaints about my company's infrastructure, one thing I can't complain about is warning time with regard to planned service outages. They tell us Months in advance when possible, and when they have to, they'll give 3 days notice if it's nearly an emergency.

Quote from: nullified on July 24, 2019, 06:54:10 PM
Welcome to normal computer security.

What I didn't mention about that life insurance company is that they were one of the smarter ones I've heard of.

Yes, penetrating their network was as simple as logging into the unsecured root user. But their intranet wasn't connected to the internet, even indirectly, and so an attacker would need to get physical access to a machine. At a life insurance company, that's hard to do, because there's very little chance you'll be left to hang out in an office for long enough to do anything more than get caught red handed.

They did have an Internet-connected network, and that was all Windows machines — cue the cold shudders — but they were all employee owned machines, laptops, and I believe legally they can't put customer information on employee owned machines. So, all told, that's actually a lot better than what the norm is.

Read through Troy Hunt's blog sometime, the Security tag. It's illuminating: gigantic companies throwing plaintext passwords around. Enumeration attacks possible without authentication. Ridiculously basic shit left wide open.

That's not as bad, but I'd still argue that having non-business-owned-and-secured machines access secured information at all in memory over the network - Even through VPN - Is inherently unsafe. Although it sounds like they didn't even do that. Regardless, that's far better than the Insurance company I supported for a few years. For how big they were, I'm very surprised I haven't seen any articles about huge exploits in the news.

I will certainly check that out - Thank you!
This Certified Pope™ reserves the Right to, on occasion, "be a complete dumbass", and otherwise ponder "idiotic" and/or "useless" ideas and other such "tomfoolery." [Aforementioned] are only responsible for the results of these actions and tendencies when they have had their addictive substance of choice for that day.

Being a Product of their Environment's Collective Order and Disorder, [Aforementioned] also reserves the Right to have their ideas, technologies, and otherwise all Intellectual Property stolen, re-purposed, and re-attributed at Will ONLY by other Certified Popes. Corporations, LLC's, and otherwise Capitalist-based organizations are NOT capable of being Certified Popes.

Battering Rams not included.

POFP

Me: Hey Bob, when does [redacted] want their new POS Image? Isn't their Pilot coming up soon?

Bob (PM): They plan to go to Pilot with their current image. They will need the new one for testing of MariaDB, very soon, though.

Me: OH SHI- They're currently running a LAB image with no security constraints for ease of use. That image is WIDE OPEN to attack.

Bob: OH SHI- Let's get them on a call!

We get them on a call the next day, and I get put on the spot for a delivery date for the new image. I mostly had the image prepared from a month ago, minus the documentation and some minor optimizations for easy switching between RDBMSs, so I said I'd get it to them the next day. But it's still a bad idea to give a customer a 1 Day expected turnaround date, no matter how much you think you have to do. I regretted it the moment I said it.

Anyways, I had a lot more work cut out for me than I realized when I went back over the image, so I spent 18 of the next 24 hours finishing the damned thing. Got it delivered ontime the next day with a lot of the changes mentioned here.

Bob (After a half hour after delivery of the image with complete documentation written from scratch): We're having a Field Leadership Meeting with the customer on the 18th. Would you like to come with the Product Director, CTO, Sales Director, and I to show off the Product and your deployment system to the customer's highest ranking Field and Corporate Executives?



I am fucking ecstatic. I'm finally getting the internal influence and recognition I've been working 50 hour weeks for for the last year. I went from working at a call center doing Level 1-3 App Support to being hired on and then promoted to Senior Technical Consultant after only a year. And now I'll be involved in executive meetings with one of the largest, high-profile retailers in the US.
This Certified Pope™ reserves the Right to, on occasion, "be a complete dumbass", and otherwise ponder "idiotic" and/or "useless" ideas and other such "tomfoolery." [Aforementioned] are only responsible for the results of these actions and tendencies when they have had their addictive substance of choice for that day.

Being a Product of their Environment's Collective Order and Disorder, [Aforementioned] also reserves the Right to have their ideas, technologies, and otherwise all Intellectual Property stolen, re-purposed, and re-attributed at Will ONLY by other Certified Popes. Corporations, LLC's, and otherwise Capitalist-based organizations are NOT capable of being Certified Popes.

Battering Rams not included.

altered

"I am that worst of all type of criminal...I cannot bring myself to do what you tell me, because you told me."

There's over 100 of us in this meat-suit. You'd think it runs like a ship, but it's more like a hundred and ten angry ghosts having an old-school QuakeWorld tournament, three people desperately trying to make sure the gamers don't go hungry or soil themselves, and the Facilities manager weeping in the corner as the garbage piles high.

P3nT4gR4m

Having a fucking clue what you're doing is practically a superpower in this field. Congrats on being that guy :mittens:

I'm up to my arse in Brexit Numpties, but I want more.  Target-rich environments are the new sexy.
Not actually a meat product.
Ass-Kicking & Foot-Stomping Ancient Master of SHIT FUCK FUCK FUCK
Awful and Bent Behemothic Results of Last Night's Painful Squat.
High Altitude Haggis-Filled Sex Bucket From Beyond Time and Space.
Internet Monkey Person of Filthy and Immoral Pygmy-Porn Wart Contagion
Octomom Auxillary Heat Exchanger Repairman
walking the fine line line between genius and batshit fucking crazy

"computation is a pattern in the spacetime arrangement of particles, and it's not the particles but the pattern that really matters! Matter doesn't matter." -- Max Tegmark

Doktor Howl

Quote from: PoFP on August 04, 2019, 04:34:03 PM
Me: Hey Bob, when does [redacted] want their new POS Image? Isn't their Pilot coming up soon?

Bob (PM): They plan to go to Pilot with their current image. They will need the new one for testing of MariaDB, very soon, though.

Me: OH SHI- They're currently running a LAB image with no security constraints for ease of use. That image is WIDE OPEN to attack.

Bob: OH SHI- Let's get them on a call!

We get them on a call the next day, and I get put on the spot for a delivery date for the new image. I mostly had the image prepared from a month ago, minus the documentation and some minor optimizations for easy switching between RDBMSs, so I said I'd get it to them the next day. But it's still a bad idea to give a customer a 1 Day expected turnaround date, no matter how much you think you have to do. I regretted it the moment I said it.

Anyways, I had a lot more work cut out for me than I realized when I went back over the image, so I spent 18 of the next 24 hours finishing the damned thing. Got it delivered ontime the next day with a lot of the changes mentioned here.

Bob (After a half hour after delivery of the image with complete documentation written from scratch): We're having a Field Leadership Meeting with the customer on the 18th. Would you like to come with the Product Director, CTO, Sales Director, and I to show off the Product and your deployment system to the customer's highest ranking Field and Corporate Executives?



I am fucking ecstatic. I'm finally getting the internal influence and recognition I've been working 50 hour weeks for for the last year. I went from working at a call center doing Level 1-3 App Support to being hired on and then promoted to Senior Technical Consultant after only a year. And now I'll be involved in executive meetings with one of the largest, high-profile retailers in the US.

Advice:  You look more competent the less you say.  Have someone ELSE draw up practice questions about your project, then work on those.  They won't be the same questions you'll get, but they will get you in the right frame of mind.

(This is not industry-specific, but suits are suits.  The oldest will want to see the wizard, but won't really want to hear all that much.)
Molon Lube