Tales from the Machine Room


Home Page | Comments | Articles | Faq | Documents | Search | Archive | Tales from the Machine Room | Contribute | Login/Register

The weakest link

Everybody talks about "computer security" from the beginning of time, but very few know what it is and how it works and even less do care about it. Is not long time ago that a big swab of fortune-500 companies ended up with millions of customers' "personal data" published and under threat of ransomware, and that make me think that the situation hasn't changed much since the time I wrote this document, that is still good.

What did changed since that time is that the situation has gotten worse. Before, we had to take care about computers. Now we have to care about computers, phones (that are computers), tablets (that are computers), the doorbell, the garage's lock, the house thermostat, the toaster, the fridge, the window's curtains, the car and the toilet's flush, all of which are, for no good reason at all, not just computers, but have to be connected to the internet 24x7 to work.

And in all this it seams that the whole idea of "security" is to just ignore it.

And now that we have the basis, let's talk about $witted&dim, a company that did... many things.

These peoples had several machines that performed business analysis, that is, they were fed data from other companies and then added a bunch of random number and produced nice graphs and such.

Since 99% of their activities consisted in collecting and distributing documents and databases, a huge chunk of their infrastructure was FTP and SFTP access for several "customers".

Now, FTP is a protocol that was invented in a golden age, when in the world there were 4 computers, two of which were in the same university and another one shared the same cable as the phone, so if you wanted to use it you had to get the cable and then put it back when you had done with it. Is not a surprise that the concept of "security" was a bit lacking.

If we also add that FTP works in many cases by having the client to begin a new connection on an random port... and we have a huge problem when you want to run one behind a firewall. Especially if your "standard" mode is "everything is closed unless is specifically required". That is a wonderful mode but it require that somebody takes stock of all that is required and where it's supposed to go and how. And this, for $witted&dim, was a big problem.

For example, one nice morning we got a call from CL that lamented that one of their customer had a consultant that couldn't login anymore.

CL - ...so our customers have this consultant and now he can't login anymore
Me - And did it worked before? Maybe its IP has changed, can we get the new and the old IP ?
CL - I don't have the IP, can't we just open them all?
Me - Open them all is a bit too much, the best practice is to give access to what is needed and when.
CL - I think is just annoying.
Me - You leave your house door permanently wide open or do you open it only when somebody need to get in and you know him?
CL - ...what has this to do with the whole thing ?
Me - It's exactly the same thing.

After several discussion, we manage to get the new IP, that is from China.

Me - Your consultat is in China now?
CL - Ain't "our" consultant, he works for one of our customers.
Me - And he is in China?
CL - I don't know if he is in China!
Me - Good, ask them then.

After a bit we got word from CL's Customer (CL2)

CL2 - What does "China" means?
Me - That the IP we got from CL is from China.
CL2 - ...our consultan ain't in China, he is in Germany, you're talking nonsenses..
Me - The Ip I got is X.Y.Z.K. it's the right one?
CL2 - Yes... at least it sounds the right one...
Me - That IP belongs to a Chinese ISP.
CL2 - No... that doesn't sound right.
Me - Check it please.
CL2 - I must check it?
Me - Yes. Contact the guy and ask him.

Some more time passes.

CL2 - Well, I've spoken with the guy and he said he is no longer working for us and he is not in china and hasn't tried to connect for a while.
Me - Good.
CL2 - Somebody has idea what is going on?
Me - I think it's time for you to clean up your personnel data, who's working for you, who isn't and where they are and what kind of access they have and they need.
CL2 - We have to do that?
Me - Who else? We certainly don't know who is working for you or not.

This situation repeated itself for a few times, until $witted&dim decided that the "best" thing to do was to add a blanker "pass all" rule for the firewall access to their systems. The discussion went more or less like "they are paying us so that's it". I tried to explain that our "motto" was "security first" and that is basically the opposite of "blanket pass-all rule", but ...

Then, another nice day, it came out that a huge chunk of $witted&dim's database was mailed to several public site, and obviously their customers weren't pleased with the fact. Obviously, we were asked to "explain" how such "incident" had to came.

A quick check revealed that one of $witted&dim's employee (CL3) had logged into the database several times and performed several operation in the previous days, and most of the access were from IPs that WEREN'T correct. Because it doesn't matter how fast you are, you can't login from Peru, China and Germany in the space of 5 minutes. And I also noticed that before that, for days, CL3 had logged in from an IP that belonged to some of $witted&dim's customer. The question was, was CL3 working at their place?

CL3 - Ah no, that's ok.
Me - "That's ok" means?
CL3 - That is one of our customer.
Me - Yes, I know that, their IP was in our list before. But are you working at their office? Why there are login from there?
CL3 - No, they are logging in as me.
Me - ...care to elaborate?
CL3 - They needed to do stuff on a database and we didn't wanted to go through the whole story to get a login, so I simply gave it mine.

...silence...

Me - Your login username is your e-mail address right?
CL3 - Yes.
Me - And your password is the same for your e-mail?
CL3 - Is this related?
Me - Yes, you just gave out your access to the whole corporate e-mail.
CL3 - But they are our customer...
Me - Yes, and they probably gave the same to their customers.

Of course this meant that $witted&dim had to do a lot of work, because they had to replace ALL THE PASSWORD and check EVERYTHING that had gone through CL3 e-mails or any other system he had access to, and any system he knew that required just a click on "I forgot my password" to get a new one mailed to that e-mail. An e-mail that half of the word knew about at this point.

And the major problem, in my opinion, was that the whole concept of "security" had gone out of the window at this point. And the idea that "they are paying us" was more important than pumping some common sense into the head of customers.

Davide
28/09/2018 14:19

Previous Next

Comments are added when and more important if I have the time to review them and after removing Spam, Crap, Phishing and the like. So don't hold your breath. And if your comment doesn't appear, is probably becuase it wasn't worth it.

11 messages this document does not accept new posts
Messer Franz By Messer Franz - posted 19/11/2018 10:15

I saggi dicevano "attacca il ciuccio dove vuole il padrone".

Non dicevano però cosa fare quando qualcuno ha rubato il ciuccio e il padrone se la prende con te perchè sei un suo sottoposto e non vuole ammettere di essere un deficiente...

io di solito mi occupo di programmazione ( anche web ) ma per la sicurezza con alcune scuse collaudate scarico la responsabilità di dirmi cosa fare ad uno che si vanta di essere supergenio della sicurezza web...

Un giorno hanno sfondato un sito, ma non c'è stato problema per nessuno ( di noi ): il loro sistemista aveva modificato il codice (la configurazione) per  far sì che il sito si collegasse con un solo utente, l'amministratore standard, con come password "password321" (ci sono i numeri quindi è sicura) perchè non voleva fare altri utenti.

Pensa un po', appena (grazie al sito online) il web ha saputo il loro ip (che prima usavano solo internamente), INCREDIBILMENTE hanno aperto il db come una cozza...

questi hackers sono veramente incredibili, ne sanno una più del diavolo...

--
Messer Franz


Anonymous coward By Anonymous coward - posted 19/11/2018 11:04

ma cl3 lavorava per $SitoFamosoSoprattuttoPerLeDomandeEPerILeak di cui vegnono pubblicati i leak ogni 3x2?

--
Anonymous coward


Thomas By Thomas - posted 19/11/2018 17:09

Ironicamente, secondo Chrome soft-land è un sito "non sicuro" :\)

(per default lo dice di tutti i siti non in HTTPS)

--
Thomas


Davide Bianchi@ Thomas By Davide Bianchi - posted 20/11/2018 10:22

Ironicamente, secondo Chrome soft-land è un sito "non sicuro" :\)

(per default lo dice di tutti i siti non in HTTPS)

E infatti se usi HTTPS lo diventa...

 

--
Davide Bianchi


Lazza@ Davide Bianchi By Lazza - posted 20/11/2018 19:41

E infatti se usi HTTPS lo diventa...

Non è che per caso ti sei dimenticato la regoletta su htaccess?

A me dà la versione HTTP liscia senza ridirezionarmi.

 

--
Lazza


Davide Bianchi@ Lazza By Davide Bianchi - posted 21/11/2018 16:33

A me dà la versione HTTP liscia senza ridirezionarmi.

Non ci sono redirezioni al momento. Ed e' voluto non e' dimenticanza.

 

 

--
Davide Bianchi


Anonymous coward@ Davide Bianchi By Anonymous coward - posted 21/11/2018 09:44

E infatti se usi HTTPS lo diventa...

Perché non metti il redirect verso https di default? C'è qualche motivo specifico o è solo in fondo alla to-do list?

 

 

--
Anonymous coward


Davide Bianchi@ Anonymous coward By Davide Bianchi - posted 21/11/2018 16:34

Perché non metti il redirect verso https di default?

Perche' senno' tutto va' verso 'www.soft-land.org' e non verso altri siti. Voglio modificare il cms in modo da usare un singolo certificato invece di una pletora ma...

 

 

 

 

--
Davide Bianchi


trekfan1@ Davide Bianchi By trekfan1 - posted 21/11/2018 15:56

 

Ironicamente, secondo Chrome soft-land è un sito "non sicuro" :\)

(per default lo dice di tutti i siti non in HTTPS)

E infatti se usi HTTPS lo diventa...

 

Però se si usa il feed rss non viene usato https ma http

 

--
trekfan1


Luca Bertoncello By Luca Bertoncello - posted 21/11/2018 08:32

Perche' non importa quanto sei veloce, non puoi fare accesso dal Peru', dalla Cina e dalla Germania distanza di 5 minuti.

Babbo Natale ce la fa senza problemi... ;\)

--
Luca Bertoncello


Nik By Nik - posted 22/11/2018 18:29

Non so se è più agghiacciante l'avvenimento raccontato in sé oppure il fatto che non mi sono per nulla stupito di tutto ciò...

--
Se striscia fulmina, se svolazza l'ammazza


11 messages this document does not accept new posts

Previous Next


This site is made by me with blood, sweat and gunpowder, if you want to republish or redistribute any part of it, please drop me (or the author of the article if is not me) a mail.


This site was composed with VIM, now is composed with VIM and the (in)famous CMS FdT.

This site isn't optimized for vision with any specific browser, nor it requires special fonts or resolution.
You're free to see it as you wish.

Web Interoperability Pleadge Support This Project
Powered By Gojira