Comments & Opinions |
Home Page | Comments | Articles | Faq | Documents | Search | Archive | Tales from the Machine Room | Contribute | Set language to:en it | Login/Register
As everybody should, by now, know, "vampires" are immaginary creatures that attack during the night and feed themselves by drinking the "vitality" (often in the form of the blood) of their victims. During the day they stay hidden in dark places, away from the light of the sun and the rest of the society.
The image of the "vampire" as a parasite, that live on the back of "active" and "productive" individuals by leaching their life, has been used many times to signify a negative behavour. Compared with other "things" like "zombies" that are damaging but can't be faulted for their action not possessing a functional brain anymore, the vampire understand perfectly well its own "negativity", and most of the time is also proud of it. Not for nothing, the first vampire was even a Noble. Just to reiterate the concept.
But nowaday, we've got other type of "vampires", the IT kind.
Phishers, spammers, scammer and the like. And then... And then you get the so-called "security experts".
Maybe you didn't noticed, but is a while that we get notices of huge security bugs left and right.
From the administrator using a crappy password (or no password) that leave databases with personal information availeble for everybody to see, to bugs and defect that allow to bypass the passwords, even when there are passwords.
Now, since there is some need for doing things in a decent way, instead of fucking them up as usual, obviously there is also a need for checking if things are actually done the right way. As such, there are peopls that jumped on the bandwagon and immediately started sending invoices to everybody for "security checks".
Many companies that produce and distribute software, after some initial problem, began to actively search and pay "bounties" for bugs and problems, but since pigs and dogs immediately began spamming with requests and claims, most of these companies are quite slow in checking things, the result is that many "security experts" have turned to the "other" side of the market, selling the bugs and vulnerabilities to the very people that uses them against the companies in a very lucrative market.
Anyhow, all this because this morning this mail landed in my inbox:
Hallo,
I am a Security Researcher and I've found several Vulnerabilities in your site, one of them is the following:
I managed to send a forged e-mail to a gmail account, the forged mail seems to be sent by 'webmaster@domain'! I've been able to do so because your DMARC record is:
"No DMARC Record found"
This vulnerability can be used in phishing and scamming and is news-worthy.
The sending of these kind of forged mail is doable using sofisticated tools like PHP and Python.
I am available for further explanation about this vulnerability and its potential solution, I expect to receive a bounty for this discovery and will report others if there are.
So... all this talking of "vulnerabilities" (with capitals) ... because there is no DMARC? Now, I'll leave to Wikipedia to explain what the fuck is DMARC and what is used for (not much, if you want to know).
Now, this make me think... the "guy" that helps the vampire, even when he is not a vampire himself... how should he be called? Wannabe-vampire?
Davide Bianchi
18/03/2020 10:16
This site is made by me with blood, sweat and gunpowder, if you want to republish or redistribute any part of it, please drop me (or the author of the article if is not me) a mail.
This site was composed with VIM, now is composed with VIM and the (in)famous CMS FdT.
This site isn't optimized for vision with any specific browser, nor
it requires special fonts or resolution.
You're free to see it as you wish.