Awesome article on how a hacker can compromise a network

RE: Awesome article on how a hacker can compromise a network

- (Sarkunarajah S) — Fri, 29 Oct 2004 17:29:00 GMT

Attended a few of Jasper's session during TechEd 2004 in Malaysia. All of them were very informative and enjoyed it very much...

re: Awesome article on how a hacker can compromise a network

Jerry Pisk — Fri, 29 Oct 2004 18:29:00 GMT

Funny conclusions, but my personal experience is completely different. Once a hacker hacks your network your admins will complain to their managers about you pointing out the hack and the managers will forbid you to ever talk to IT personel again and restrict your access so you will not be able to find out whether the network was hacked or not in the future.

re: Awesome article on how a hacker can compromise a network

Larry Osterman — Fri, 29 Oct 2004 18:34:00 GMT

That's very sad Jerry.

Because it means that the managers don't care about the company.

Because if they cared about their company, they'd care about the fact that every bit of data on the company network is gone.

And if every bit of data on the company network is now in the hands of the hackers, then it's not their company any more, As Jesper's article mentioned: "hope that the hacker does a good job running the network".

Once the hack's happened, you don't own your company any more, the hacker owns your company.

re: Awesome article on how a hacker can compromise a network

James Risto — Fri, 29 Oct 2004 18:45:00 GMT

Appears that checking for single quote in the input would have prevented this.

re: Awesome article on how a hacker can compromise a network

Larry Osterman — Fri, 29 Oct 2004 18:46:00 GMT

Actually there were a couple of things that were done wrong on that site, but yes, the avenue for entry was a single case of not validating inputs from the user.

That's all it takes.

re: Awesome article on how a hacker can compromise a network

Jerry Pisk — Sat, 30 Oct 2004 03:09:00 GMT

I'll add a quote I've heard from one manager about validating user input: "We don't need to validate the input because normal user will never enter values like you did." And I have to thank Larry for finding the right word to describe this - sad.

re: Awesome article on how a hacker can compromise a network

Skywing — Sat, 30 Oct 2004 04:31:00 GMT

SQL Server runs fine as a limited account, too; they shouldn't have been running it with LocalSystem.

Findings this afternoon

Jason Haley — Sun, 31 Oct 2004 00:18:00 GMT

Findings this afternoon

re: Awesome article on how a hacker can compromise a network

Norman Diamond — Mon, 01 Nov 2004 00:18:00 GMT

10/29/2004 11:34 AM Larry Osterman

> That's very sad Jerry.
> Because it means that the managers don't
> care about the company.

In exactly the same way, some government agencies don't care about their countries. One of Richard Feynman's books includes a story of what happened when he discovered that safes used in a military office weren't secure. More recently (in this millennium) a US court ordered the FBI to pay a million dollars to a whistleblower that they had fired, but they didn't have to rehire the whistleblower and the criminals who are in charge remain in charge. Oops sorry, no hacking in the latter case, but Feynman's accidentaly discovery resembled white-hat hacking.

re: Awesome article on how a hacker can compromise a network

"grey cap" — Mon, 01 Nov 2004 19:29:00 GMT

>but Feynman's accidentaly discovery resembled >white-hat hacking.
i think it wasn´t accident. He did it for curiousity as he was quite adventurous person=).

re: Awesome article on how a hacker can compromise a network

Norman Diamond — Mon, 01 Nov 2004 23:16:00 GMT

He was playing for fun, but I don't think he started with a deliberate intention to break in. After his discovery, he tried to be a white-hat hacker, demonstrating the problem and recommending that it get fixed, but naturally he was ostracized for his efforts and the security holes were left in place.

re: Awesome article on how a hacker can compromise a network

foxyshadis — Thu, 04 Nov 2004 04:27:00 GMT

The only thing about a 'generic' windows install is that it's easier to get into than a 'generic' *nix install. Secured versions of each are harder, and unprotected versions of each are easier - the really important aspect is an admin who knows what they're doing and can weigh trade-offs appropriately.

I knew one guy who broke into a network and 'adopted' it, upgrading and securing it, answering administrative questions, and communicating with employees in general, just because he liked the feeling of being an admin. (In a rather pathological way.) And a dozen who take networks for fun, profit, and revenge, and leave them trashed, even one who only broke into challenging unix systems.

Unfortunately, unless you're willing to live day-to-day like a locked-down, paranoid government branch with audited software and no outside connection, there will always be some way for a dedicated hacker to get you. *shrug* There's always a chance you'll get hit by a car, just be safe and be ready with some plan for after.

re: Awesome article on how a hacker can compromise a network

Larry Osterman — Thu, 04 Nov 2004 04:40:00 GMT

foxyshadis,
Is a 'generic' Windows install more secure than a generic Linspire install? Linspire's a Linux distro, last I heard (albeit, not intended for enterprise deployment).

And I'm not sure that it really matters. As a corrolary to your comment, if you're deploying a server solution on ANY platform, you need to make sure that it's locked down, regardless of platform.

Larry Osterman s WebLog Awesome article on how a hacker can | Hair Growth Products

Sat, 13 Jun 2009 15:36:21 GMT

PingBack from http://hairgrowthproducts.info/story.php?id=2632