• TimeBandit (unregistered) in reply to Mike

    I have about 20 years of experience, so let me put this clear : you will NEVER convince me to use an MS-OS as a server.

    I have a Linux server with an uptime of 3.5 years, so obviously it's not getting kernel patches. The thing is in a data-center accessible from the internet and doing it's job non-stop 24/7 without anything in front of it to protect it. The logs show multiple attempts at hacking it, but no success yet.

    Of course there's been security exploit on Linux and other Unix, but the damage that can be done is nowhere near what happen when Windows is exploited. And the number of bugs affecting Windows that permit a REMOTE UNAUTHENTICATED user to gain ADMIN rights is just unbelievable !

    MS built a house with cardboard and then try to put steel bars in the windows

    Come back when you have enough experience using something else then your toy OS

  • Design Pattern (unregistered)

    Wait, what?!

    :
    During his tour, Adam was introduced to the financing group, the warehouse supervisor and his crew, the ladies who ran most of the front office, and other supporting personnel. After meeting with the PC technician, Mr. Repinski showed Adam the place where he would be spending much of his time - the server room.
    So Adams crew were the ladies who ran the front office in the server room?
  • PFY (unregistered) in reply to Greg Brady
    Greg Brady:
    TRWTF is that I don't believe all these stories where the IT department demonstrates how a vulnerability could be exploited and they get in trouble for it.
    Clearly you don't have much experience with schmucks running business. When it comes to reporting security vulnerabilities, shooting the messenger is the norm because it will end up like this: 1) First, your message gets ignored as unimportant because the boss is a douchebag and can't be bothered. 2) Second, you demonstrate why this is a CRITICAL SECURITY FAILURE and boss should care. 3) Third, the boss concludes you have hacked the system and hackers are evil, so you either get passed up for a raise or have your pay docked or get fired.

    See, boss lives in a fantasy-land and only pays attention to what's in front of the eyes. If the problem is "people hacking the server" and the only person the boss sees hacking the server is you, the boss assumes you are the problem.

    If you don't try to get approval for fixing the problem, or you do but get ignored, the boss will probably fire you anyway the instant anything bad enough happens because it was your responsibility to get it fixed. Even if the boss was the obstacle.

    Your best bet is to give a clear report on the situation and risks without performing some kind of live demonstration to an authorized superior who is not the almighty boss, and then to get them to put it in writing and sign it when they say this doesn't need fixing, preferably somewhere on your report. Try to make sure you have demonstrated initiative and that it was superiors who blocked your way. This way, with any luck, when shit hits the fan, someone else gets to be the fall guy.

    [image]
  • trwtf (unregistered) in reply to TimeBandit
    TimeBandit:
    I have about 20 years of experience, so let me put this clear : you will NEVER convince me to use an MS-OS as a server.
    That's fine by us. Why do you think we give a shit?
  • D00FUS (unregistered) in reply to trwtf
    trwtf:
    TimeBandit:
    I have about 20 years of experience, so let me put this clear : you will NEVER convince me to use an MS-OS as a server.
    That's fine by us. Why do you think we give a shit?
    The fact that you bothered to respond.
  • The Cool (unregistered) in reply to D00FUS
    D00FUS:
    trwtf:
    TimeBandit:
    I have about 20 years of experience, so let me put this clear : you will NEVER convince me to use an MS-OS as a server.
    That's fine by us. Why do you think we give a shit?
    The fact that you bothered to respond.
    [image]
  • Franz Kafka (unregistered) in reply to Maurits
    Maurits:
    Agreed that Adam could have handled this better. Here's some best practices for dealing with an unsecured FTP site:
    1. Firewall off access to the machine on the FTP ports.
    2. Make sure you have all security patches installed.
    3. Scan for malware.
    4. Lock down the FTP site. It's perfectly OK to allow anonymous access read-only, perhaps to a "public" folder". Write access should require authentication.
    5. Delete all the inappropriate content.
    6. Now - and only now - reconfigure the firewall to allow access to the FTP site again.

    Sure, you know that now. Would you know that on your first gig out of helldesk?

  • Oh God It Hurts (unregistered)

    TRWTF is the commented out bit marked "had to cut this for reasons of space..."

    1: It's the internet dude, you can use as much space as you like.

    b) Commenting the text out doesn't actually help "cut space" in terms of bandwidth, it just wastes it.

    iii/ If the reader's attention is the key metric that you're trying to preserve, you should maybe try editing the story until it's comprehensible and then start worrying about its length. Readers tend to have more attention for stories they don't have to translate into a human-readable form.

    • There is no point D.

  • foo (unregistered) in reply to Sleepy
    Sleepy:
    It's not necessarily having just one server but the fact it hand an openly accessible, anonymous user, full access SFTP server on it that has access to everything.
    Only without the S. Don't give them too much credit.
  • foo (unregistered) in reply to Tom Woolf
    Tom Woolf:
    This was a couple of years back, and corrections have been made to the process, but the company I work for had a good example of that. A developer added a server to our network, but it was a Friday afternoon so he did not complete his checklist. Nothing was available on the server except space. Over the weekend somebody discovered the open server and used it to store gigs of files for their buddies. Monday AM they were all gone, but the logs showed what happened, and also showed no attempts to hack anything else - they just used it for open storage.
    Then TRWTF was the checklist. You don't secure the server after putting in online (and possibly even after uploading your data), but beforehand. Even one second of unsecured Internet connection (if you're very unlucky) can compromise it.
  • best-typo-evar (unregistered) in reply to Mike

    ctrl-f undecidedly

    Was not disappointed

  • BlackBart (unregistered) in reply to Silver
    Silver:
    And then the retaliation from people who were annoyed their open server was cleaned out.

    I ran into this behavior, around 1999-2000: I ran an anonymous FTP (upload only) for good reasons. Eventually it was discovered by the Giga-uploaders and put to use, despite no one else being able to download the data; the FTP account was write-only until an admin approved the upload.

    After 2 rounds of this, they started uploading to folders with HA/HA/HA, and odd character set folder names. All deleted anyway. Finally I just shut off anonymous FTP.

    It is fully believable that the uploaders would have trashed the unsecured C: drive after they found that they were discovered and had their crap deleted.

  • foo (unregistered) in reply to Oh God It Hurts
    Oh God It Hurts:
    TRWTF is the commented out bit marked "had to cut this for reasons of space..."

    1: It's the internet dude, you can use as much space as you like.

    b) Commenting the text out doesn't actually help "cut space" in terms of bandwidth, it just wastes it.

    iii/ If the reader's attention is the key metric that you're trying to preserve, you should maybe try editing the story until it's comprehensible and then start worrying about its length. Readers tend to have more attention for stories they don't have to translate into a human-readable form.

    • There is no point D.

    How true. We've now had 3 or 4 explanations in the comments what could have happened. How about telling us what really happened? (What a novel idea in story-telling!)

    Otherwise, for reasons of space, I suggest this: "New guy, stupid boss, porn, fired. Fill in the rest, you know the drill."

  • my name (unregistered) in reply to foo
    Tom Woolf:
    This was a couple of years back, and corrections have been made to the process, but the company I work for had a good example of that. A developer added a server to our network, but it was a Friday afternoon so he did not complete his checklist. Nothing was available on the server except space. Over the weekend somebody discovered the open server and used it to store gigs of files for their buddies. Monday AM they were all gone, but the logs showed what happened, and also showed no attempts to hack anything else - they just used it for open storage.
    ... and rooting the server, installing various exploits and purging the log files, you mean?
  • Psychosis (unregistered) in reply to Franz Kafka
    Maurits:
    Agreed that Adam could have handled this better. Here's some best practices for dealing with an unsecured FTP site:
    1. Firewall off access to the machine on the FTP ports.
    2. Make sure you have all security patches installed.
    3. Scan for malware.
    4. Lock down the FTP site. It's perfectly OK to allow anonymous access read-only, perhaps to a "public" folder". Write access should require authentication.
    5. Delete all the inappropriate content.
    6. Now - and only now - reconfigure the firewall to allow access to the FTP site again.
    Best practices aren't easy to do when the boss is telling you to not do it. Then if you're devoted to the fix despite your boss stopping you you will attempt a fix that works invisibly without anyone knowing, like you make a whitelist to cover your internal LAN and whatever IPs you logged and by now confirmed to be folks who work on-site, and then you add a script that checks for anyone who managed to log into your company website/email/etc and will temporarily update the whitelist for 24 hours with that IP address and another script to extend the whitelist duration for recent logins so someone doesn't get stopped in the middle of using the FTP.

    Then you check for people who repeatedly 24-hour-temp in from the same address, and perma-whitelist those. Then you add a script to check how long a whitelisted IP was unused and remove them if it's been long enough (a month?).

    After a while you wind up with a fully scripted system of whitelisting people into your FTP server which ultimately relies on folks logging into the company network before they get FTP access. With you checking the kinks every now and then.

    This way boss thinks everything is cool beans while you've got a semi-secured system rolling. And then when you find your next job, you get to see your scripts on WorseThanFailure.com

  • (cs) in reply to TimeBandit
    TimeBandit:
    I have about 20 years of experience, so let me put this clear : you will NEVER convince me to use an MS-OS as a server.
    The wonderful thing about being an MS user is the complete lack of any need whatsoever to proselytize for my O.S., unlike the hordes of lusers out there.
  • TommyTuTone (unregistered) in reply to Greg Brady
    Greg Brady:
    fritters:
    I don't get it.

    So the boss sabotaged the server to scapegoat one employee because he nearly got caught downloading porn?

    It sounds more like Brian--who did not appreciate getting scolded for "hacking" the server--went home and showed the boss just how much damage he could do.

    The clues are there.

    TRWTF is that I don't believe all these stories where the IT department demonstrates how a vulnerability could be exploited and they get in trouble for it.

    I agree with you. Of course there are those IT administrators out there that still think of themselves as god and keeper of things server related. When in fact, if they just did their job and approached things in a reasonable manner - instead of using shock and awe tactics - their point would get across in a much more meaningful way.

  • (cs)

    And where is the WTF?

    The companies FTP was misued by some sceners for sharing their stuff. Probably some warez group or what ever.

    Adam did not fix the hole, but only deleted the site of the sceners. This resulted in important company data getting lost due to retaliation by the group.

    If I were Adams Boss, I would have fired him too for having handled the case that stupidly.

  • trtrwtf (unregistered) in reply to foo
    foo:
    Tom Woolf:
    This was a couple of years back, and corrections have been made to the process, but the company I work for had a good example of that. A developer added a server to our network, but it was a Friday afternoon so he did not complete his checklist. Nothing was available on the server except space. Over the weekend somebody discovered the open server and used it to store gigs of files for their buddies. Monday AM they were all gone, but the logs showed what happened, and also showed no attempts to hack anything else - they just used it for open storage.
    Then TRWTF was the checklist. You don't secure the server after putting in online (and possibly even after uploading your data), but beforehand. Even one second of unsecured Internet connection (if you're running Windows) can compromise it.

    FTFY

  • (cs) in reply to Quicksilver
    Quicksilver:
    And where is the WTF?
    I think it was in the basket. You know, the one with all the eggs?
  • TRWTF Decider (unregistered)

    TRWTF are companies with an IT department.

  • (cs) in reply to TommyTuTone
    TommyTuTone:
    Greg Brady:
    fritters:
    I don't get it.

    So the boss sabotaged the server to scapegoat one employee because he nearly got caught downloading porn?

    It sounds more like Brian--who did not appreciate getting scolded for "hacking" the server--went home and showed the boss just how much damage he could do.

    The clues are there.

    TRWTF is that I don't believe all these stories where the IT department demonstrates how a vulnerability could be exploited and they get in trouble for it.

    I agree with you. Of course there are those IT administrators out there that still think of themselves as god and keeper of things server related. When in fact, if they just did their job and approached things in a reasonable manner - instead of using shock and awe tactics - their point would get across in a much more meaningful way.

    My CTO sometimes has a loaded Desert Eagle .45 on his desk during meetings. God, I love that guy. Don't trash-talk the shock-and-awe guys generally - some of them know exactly what they are doing. So much is office politics, and sometimes, you just have to cut straight through it.

  • (cs) in reply to TRWTF Decider
    TRWTF Decider:
    TRWTF are companies with an IT department.
    Because?
  • by (unregistered) in reply to hoodaticus
    hoodaticus:
    TimeBandit:
    I have about 20 years of experience, so let me put this clear : you will NEVER convince me to use an MS-OS as a server.
    The wonderful thing about being an MS user is the complete lack of any need whatsoever to proselytize for my O.S., unlike the hordes of lusers out there.

    Agreed... It's not like having [Un|Lin]ux is an impenetrable fortress of best-practices (TM). It's a process called hardening, and if you disable every unnecessary service and/or (amongst other things), then you're reducing your surface area. Windows or Unix: if you keep telnet running with a shitty password, you're f*cked either way.

    Argument parallel to VB.NET vs. C#, or how PHP is unsecure (don't use PHP, but I know better than to spout unfounded BS like that)...

  • frits (unregistered) in reply to hoodaticus
    hoodaticus:
    TommyTuTone:
    Greg Brady:
    fritters:
    I don't get it.

    So the boss sabotaged the server to scapegoat one employee because he nearly got caught downloading porn?

    It sounds more like Brian--who did not appreciate getting scolded for "hacking" the server--went home and showed the boss just how much damage he could do.

    The clues are there.

    TRWTF is that I don't believe all these stories where the IT department demonstrates how a vulnerability could be exploited and they get in trouble for it.

    I agree with you. Of course there are those IT administrators out there that still think of themselves as god and keeper of things server related. When in fact, if they just did their job and approached things in a reasonable manner - instead of using shock and awe tactics - their point would get across in a much more meaningful way.

    My CTO sometimes has a loaded Desert Eagle .45 on his desk during meetings. God, I love that guy. Don't trash-talk the shock-and-awe guys generally - some of them know exactly what they are doing. So much is office politics, and sometimes, you just have to cut straight through it.

    I'm pretty sure you can't tell whether a Dessert Eagle is loaded just by looking at it.

    I'm also pretty sure he could get fined for disturbing the peace.

    Your not too bright, are you?

  • (cs) in reply to frits
    frits:
    hoodaticus:
    TommyTuTone:
    Greg Brady:
    fritters:
    I don't get it.

    So the boss sabotaged the server to scapegoat one employee because he nearly got caught downloading porn?

    It sounds more like Brian--who did not appreciate getting scolded for "hacking" the server--went home and showed the boss just how much damage he could do.

    The clues are there.

    TRWTF is that I don't believe all these stories where the IT department demonstrates how a vulnerability could be exploited and they get in trouble for it.

    I agree with you. Of course there are those IT administrators out there that still think of themselves as god and keeper of things server related. When in fact, if they just did their job and approached things in a reasonable manner - instead of using shock and awe tactics - their point would get across in a much more meaningful way.

    My CTO sometimes has a loaded Desert Eagle .45 on his desk during meetings. God, I love that guy. Don't trash-talk the shock-and-awe guys generally - some of them know exactly what they are doing. So much is office politics, and sometimes, you just have to cut straight through it.

    I'm pretty sure you can't tell whether a Dessert Eagle is loaded just by looking at it.

    I'm also pretty sure he could get fined for disturbing the peace.

    Your not too bright, are you?

    And if I had told you how I knew it was loaded, you might have had a basis for making your inane comment. Also, I'm pretty sure a handgun on a desk doesn't disturb anything, much less the peace, but I only have a doctorate in law, so what would I know?

  • (cs) in reply to frits
    frits:
    I'm pretty sure you can't tell whether a Dessert Eagle is loaded just by looking at it.
    You really shouldn't eat eagles, for dessert or otherwise.
  • Ouch! (unregistered) in reply to hoodaticus
    hoodaticus:
    TimeBandit:
    I have about 20 years of experience, so let me put this clear : you will NEVER convince me to use an MS-OS as a server.
    The wonderful thing about being an MS user is the complete lack of any need whatsoever to proselytize for my O.S., unlike the hordes of lusers out there.
    I have to disagree. It's not the OS, it's whether you are the proselytizing type. Of course, the proselytizing types are more drawn to the minority OSs, so you find more Mac/Linux/BSD zealots than Windows zealots (at least in proportion), but I've also met more than enough Windows fanbois.
  • frits (unregistered) in reply to hoodaticus
    hoodaticus:
    frits:
    hoodaticus:
    TommyTuTone:
    Greg Brady:
    fritters:
    I don't get it.

    So the boss sabotaged the server to scapegoat one employee because he nearly got caught downloading porn?

    It sounds more like Brian--who did not appreciate getting scolded for "hacking" the server--went home and showed the boss just how much damage he could do.

    The clues are there.

    TRWTF is that I don't believe all these stories where the IT department demonstrates how a vulnerability could be exploited and they get in trouble for it.

    I agree with you. Of course there are those IT administrators out there that still think of themselves as god and keeper of things server related. When in fact, if they just did their job and approached things in a reasonable manner - instead of using shock and awe tactics - their point would get across in a much more meaningful way.

    My CTO sometimes has a loaded Desert Eagle .45 on his desk during meetings. God, I love that guy. Don't trash-talk the shock-and-awe guys generally - some of them know exactly what they are doing. So much is office politics, and sometimes, you just have to cut straight through it.

    I'm pretty sure you can't tell whether a Dessert Eagle is loaded just by looking at it.

    I'm also pretty sure he could get fined for disturbing the peace.

    Your not too bright, are you?

    And if I had told you how I knew it was loaded, you might have had a basis for making your inane comment. Also, I'm pretty sure a handgun on a desk doesn't disturb anything, much less the peace, but I only have a doctorate in law, so what would I know?
    Yeah, I also have Ph.Ds in U.S. Criminal Law, Political Science, and Particle Physics. Furthermore, I've undergone the 21-week Special Weapons training of the U.S. Marine Corps and graduated from there flight school. After setting the record score on the bar exam, I spent the next 25 years practicing international law before starring in a T.V. movie based on my life. After a brief stint as Mayor pro tem in New York City, I set several world records in the Iron Man Triathlon (for my age). I had to drop out of them to participate in military duty (which I am not at liberty to discuss), but I typically carry twin .44 Magnum Desert Eagles; so what would I know?

  • Kyle Z. (unregistered)

    I'm considered a very funny guy in my country, but when I write my funny stuff in English, it's so.... unfunny!

  • (cs) in reply to frits
    frits (cheap imitation):
    hoodaticus:
    And if I had told you how I knew it was loaded, you might have had a basis for making your inane comment. Also, I'm pretty sure a handgun on a desk doesn't disturb anything, much less the peace, but I only have a doctorate in law, so what would I know?
    Yeah, I also have Ph.Ds in U.S. Criminal Law, Political Science, and Particle Physics. Furthermore, I've undergone the 21-week Special Weapons training of the U.S. Marine Corps and graduated from there flight school. After setting the record score on the bar exam, I spent the next 25 years practicing international law before starring in a T.V. movie based on my life. After a brief stint as Mayor pro tem in New York City, I set several world records in the Iron Man Triathlon (for my age). I had to drop out of them to participate in military duty (which I am not at liberty to discuss), but I typically carry twin .44 Magnum Desert Eagles; so what would I know?
    Really though, who hasn't done all of that?
  • (cs) in reply to frits
    fantasy frits:
    Yeah, I also have Ph.Ds in U.S. Criminal Law, Political Science, and Particle Physics. Furthermore, I've undergone the 21-week Special Weapons training of the U.S. Marine Corps and graduated from there flight school. After setting the record score on the bar exam, I spent the next 25 years practicing international law before starring in a T.V. movie based on my life. After a brief stint as Mayor pro tem in New York City, I set several world records in the Iron Man Triathlon (for my age). I had to drop out of them to participate in military duty (which I am not at liberty to discuss), but I typically carry twin .44 Magnum Desert Eagles; so what would I know?

    Thanks for the upgrade, buddy.

    There is a grain of truth in some of that. So which forum regular was that anyway?

  • Dan (unregistered) in reply to foo
    foo:
    Then TRWTF was the checklist. You don't secure the server after putting in online (and possibly even after uploading your data), but beforehand. Even one second of unsecured Internet connection (if you're very unlucky) can compromise it.

    At work they once had a department meeting to demonstrate the necessity to install the patches. This was years ago before M$ invented the auto-install that reboots your computer while you're at lunch, causing loss of unsaved data. Anyway it was a skit that began with two guys in the company who had just finished installing a new server but then decided to wait over the weekend to secure it.

    Next scene was two hackers who had just discovered the new server and began exploiting its security holes to create an account and decrypt the passwords. They ran rootkit software against it, and discovered that it actually had already been compromised from outside.

    That in itself was probably a better demonstration than the skit itself was.

  • (cs) in reply to Franz Kafka
    Franz Kafka:
    Maurits:
    Agreed that Adam could have handled this better. Here's some best practices for dealing with an unsecured FTP site:
    1. Firewall off access to the machine on the FTP ports.
    2. Make sure you have all security patches installed.
    3. Scan for malware.
    4. Lock down the FTP site. It's perfectly OK to allow anonymous access read-only, perhaps to a "public" folder". Write access should require authentication.
    5. Delete all the inappropriate content.
    6. Now - and only now - reconfigure the firewall to allow access to the FTP site again.

    Sure, you know that now. Would you know that on your first gig out of helldesk?

    I would. I read this site.

  • frits' sock puppet (unregistered) in reply to frits
    frits:
    hoodaticus:
    frits:
    hoodaticus:
    TommyTuTone:
    Greg Brady:
    fritters:
    I don't get it.

    So the boss sabotaged the server to scapegoat one employee because he nearly got caught downloading porn?

    It sounds more like Brian--who did not appreciate getting scolded for "hacking" the server--went home and showed the boss just how much damage he could do.

    The clues are there.

    TRWTF is that I don't believe all these stories where the IT department demonstrates how a vulnerability could be exploited and they get in trouble for it.

    I agree with you. Of course there are those IT administrators out there that still think of themselves as god and keeper of things server related. When in fact, if they just did their job and approached things in a reasonable manner - instead of using shock and awe tactics - their point would get across in a much more meaningful way.

    My CTO sometimes has a loaded Desert Eagle .45 on his desk during meetings. God, I love that guy. Don't trash-talk the shock-and-awe guys generally - some of them know exactly what they are doing. So much is office politics, and sometimes, you just have to cut straight through it.

    I'm pretty sure you can't tell whether a Dessert Eagle is loaded just by looking at it.

    I'm also pretty sure he could get fined for disturbing the peace.

    Your not too bright, are you?

    And if I had told you how I knew it was loaded, you might have had a basis for making your inane comment. Also, I'm pretty sure a handgun on a desk doesn't disturb anything, much less the peace, but I only have a doctorate in law, so what would I know?
    Yeah, I also have Ph.Ds in U.S. Criminal Law, Political Science, and Particle Physics. Furthermore, I've undergone the 21-week Special Weapons training of the U.S. Marine Corps and graduated from there flight school. After setting the record score on the bar exam, I spent the next 25 years practicing international law before starring in a T.V. movie based on my life. After a brief stint as Mayor pro tem in New York City, I set several world records in the Iron Man Triathlon (for my age). I had to drop out of them to participate in military duty (which I am not at liberty to discuss), but I typically carry twin .44 Magnum Desert Eagles; so what would I know?
    It's true: I can vouch for frits on this one.

  • Nagesh (unregistered)

    Here in Hyderbad, it is making the best to be finding holes in server BEFORE we implement production release. It is bad to be exploited when already released to wild. You could be losting your data this ways.

  • Bert Glanstron (unregistered) in reply to Nagesh
    Nagesh:
    Here in Hyderbad, it is making the best to be finding holes in server BEFORE we implement production release. It is bad to be exploited when already released to wild. You could be losting your data this ways.
    Dear Nagesh,

    In case you can’t tell, this is a grown-up place. The fact that you insist on using your ridiculous grammer clearly shows that you’re too young and too stupid to be using English.

    Go away and grow up.

    Sincerely, Bert Glanstron

  • nobody (unregistered) in reply to Maurits
    4) Lock down the FTP site. It's perfectly OK to allow anonymous access read-only, perhaps to a "public" folder". Write access should require authentication.
    No. Absolutely no. Write access should simply not exist using FTP. Ever.
  • Ann Coulter (unregistered) in reply to nobody
    nobody:
    4) Lock down the FTP site. It's perfectly OK to allow anonymous access read-only, perhaps to a "public" folder". Write access should require authentication.
    No. Absolutely no. Write access should simply not exist using FTP. Ever.
    Spoken like a true Democrat.
  • Design Pattern (unregistered) in reply to boog
    boog:
    frits (cheap imitation):
    Yeah, I also have Ph.Ds in U.S. Criminal Law, Political Science, and Particle Physics. Furthermore, I've undergone the 21-week Special Weapons training of the U.S. Marine Corps and graduated from there flight school. After setting the record score on the bar exam, I spent the next 25 years practicing international law before starring in a T.V. movie based on my life. After a brief stint as Mayor pro tem in New York City, I set several world records in the Iron Man Triathlon (for my age). I had to drop out of them to participate in military duty (which I am not at liberty to discuss), but I typically carry twin .44 Magnum Desert Eagles; so what would I know?
    Really though, who hasn't done all of that?
    FINALLY a usage of the fake-frits-wannabe-meme that isn't lame!
  • john (unregistered) in reply to Psychosis
    Psychosis:
    Maurits:
    Agreed that Adam could have handled this better. Here's some best practices for dealing with an unsecured FTP site:
    1. Firewall off access to the machine on the FTP ports.
    2. Make sure you have all security patches installed.
    3. Scan for malware.
    4. Lock down the FTP site. It's perfectly OK to allow anonymous access read-only, perhaps to a "public" folder". Write access should require authentication.
    5. Delete all the inappropriate content.
    6. Now - and only now - reconfigure the firewall to allow access to the FTP site again.
    Best practices aren't easy to do when the boss is telling you to not do it. Then if you're devoted to the fix despite your boss stopping you you will attempt a fix that works invisibly without anyone knowing, like you make a whitelist to cover your internal LAN and whatever IPs you logged and by now confirmed to be folks who work on-site, and then you add a script that checks for anyone who managed to log into your company website/email/etc and will temporarily update the whitelist for 24 hours with that IP address and another script to extend the whitelist duration for recent logins so someone doesn't get stopped in the middle of using the FTP.

    Then you check for people who repeatedly 24-hour-temp in from the same address, and perma-whitelist those. Then you add a script to check how long a whitelisted IP was unused and remove them if it's been long enough (a month?).

    After a while you wind up with a fully scripted system of whitelisting people into your FTP server which ultimately relies on folks logging into the company network before they get FTP access. With you checking the kinks every now and then.

    This way boss thinks everything is cool beans while you've got a semi-secured system rolling. And then when you find your next job, you get to see your scripts on WorseThanFailure.com

    okay, so what if you don't have web access?

  • john (unregistered) in reply to john
    john:
    Psychosis:
    Maurits:
    Agreed that Adam could have handled this better. Here's some best practices for dealing with an unsecured FTP site:
    1. Firewall off access to the machine on the FTP ports.
    2. Make sure you have all security patches installed.
    3. Scan for malware.
    4. Lock down the FTP site. It's perfectly OK to allow anonymous access read-only, perhaps to a "public" folder". Write access should require authentication.
    5. Delete all the inappropriate content.
    6. Now - and only now - reconfigure the firewall to allow access to the FTP site again.
    Best practices aren't easy to do when the boss is telling you to not do it. Then if you're devoted to the fix despite your boss stopping you you will attempt a fix that works invisibly without anyone knowing, like you make a whitelist to cover your internal LAN and whatever IPs you logged and by now confirmed to be folks who work on-site, and then you add a script that checks for anyone who managed to log into your company website/email/etc and will temporarily update the whitelist for 24 hours with that IP address and another script to extend the whitelist duration for recent logins so someone doesn't get stopped in the middle of using the FTP.

    Then you check for people who repeatedly 24-hour-temp in from the same address, and perma-whitelist those. Then you add a script to check how long a whitelisted IP was unused and remove them if it's been long enough (a month?).

    After a while you wind up with a fully scripted system of whitelisting people into your FTP server which ultimately relies on folks logging into the company network before they get FTP access. With you checking the kinks every now and then.

    This way boss thinks everything is cool beans while you've got a semi-secured system rolling. And then when you find your next job, you get to see your scripts on WorseThanFailure.com

    okay, so what if you don't have web access?

    I mean webserver access.

  • Psychosis (unregistered) in reply to john
    john:
    john:
    Psychosis:
    Maurits:
    Agreed that Adam could have handled this better. Here's some best practices for dealing with an unsecured FTP site:
    1. Firewall off access to the machine on the FTP ports.
    2. Make sure you have all security patches installed.
    3. Scan for malware.
    4. Lock down the FTP site. It's perfectly OK to allow anonymous access read-only, perhaps to a "public" folder". Write access should require authentication.
    5. Delete all the inappropriate content.
    6. Now - and only now - reconfigure the firewall to allow access to the FTP site again.
    Best practices aren't easy to do when the boss is telling you to not do it. Then if you're devoted to the fix despite your boss stopping you you will attempt a fix that works invisibly without anyone knowing, like you make a whitelist to cover your internal LAN and whatever IPs you logged and by now confirmed to be folks who work on-site, and then you add a script that checks for anyone who managed to log into your company website/email/etc and will temporarily update the whitelist for 24 hours with that IP address and another script to extend the whitelist duration for recent logins so someone doesn't get stopped in the middle of using the FTP.

    Then you check for people who repeatedly 24-hour-temp in from the same address, and perma-whitelist those. Then you add a script to check how long a whitelisted IP was unused and remove them if it's been long enough (a month?).

    After a while you wind up with a fully scripted system of whitelisting people into your FTP server which ultimately relies on folks logging into the company network before they get FTP access. With you checking the kinks every now and then.

    This way boss thinks everything is cool beans while you've got a semi-secured system rolling. And then when you find your next job, you get to see your scripts on WorseThanFailure.com

    okay, so what if you don't have web access?

    I mean webserver access.

    In that case,

    Get yourself a nice open source FTP server and modify the source code so the FTP server will spike any and all files it has to phone home to your server when opened for your periodic whitelist while making sure that it gives checksums/filesizes that match the original uploaded file. After a while, you just switch over to whitelists because hopefully everyone will be trading and running files which inform your server they are authorized users of your server. I'm sure you can fit web content or something into a word doc, exe file, etc.

  • WTF (unregistered)

    It would be hard to have a fully loaded .45 cal desert eagle in his top drawer as they didn't produce a .45 cal version...

  • (cs)

    TRWTF is trying to explain anything computer related to management.

  • ÃÆâ€ââ (unregistered) in reply to Nagesh
    Nagesh:
    Here in Hyderbad, it is making the best to be finding holes in server BEFORE we implement production release. It is bad to be exploited when already released to wild. You could be losting your data this ways.

    Clearly, it was Nagesh's undecidedly NSFW material that Brian found.

  • Figert (unregistered) in reply to Valczir
    Valczir:
    pnieuwkamp:
    What's so bad about having just one server? Lots of companies have exactly that, just one server. Microsoft Small Business Server is specifically designed for it ;) (unless you take Premium version, then you get another Windows Server Standard and Microsoft SQL Server Standard for Small Business).

    First off, you're using a Microsoft Server OS as an example - when has Microsoft ever done anything right in terms of servers? We can argue linux vs Windows vs OS X all day as far as desktop OSes go, but when it comes to servers, you're looking at a choice between linux, BSD, or getting a new job.

    Second, having everything running on a single server is what caused all of their data to get wiped because of a security flaw in the FTP server. If they had the FTP server running on another box, they wouldn't have lost their data.

    Running one thing on one server means if someone finds a way to exploit a security flaw in that one thing, all you lose is the one thing (FTP, in this case). Running two things on one server means that if someone finds a way to exploit a security flaw in either of those two things, you lose both of them.

    There's a balance between cost and security/stability/etc, but the answer is almost never "one server for everything".

    Coulda, Shoulda, Woulda, Dead.

    Although the Article gives the impression of a large organisation, it doesn't definitively say it. Smaller organisations (especially ones where IT is not their main industry - nor even used significantly, by the sounds of it - Web Page + Financial Information sounds like a company that feels they need a Web Page (probably that still says 'under construction' and uses computers for basic HR (paying empolyees and the like, and keeping customer invoices (probably in excel format)). Certainly they should use multiple servers, but given IT is probably an afterthought for them (and aside from all else is probably allocated very little budget), there should be little surprise that they do everything on a single box.

  • nick (unregistered)

    TRWTF is that the server used windows.

  • Varius (unregistered) in reply to saepius
    saepius:
    I don't get it: if Brian was just the junior technician, why did he go to the CEO and Owner and not the senior technician when he found the security hole? If he was the only technician, who dissembled the server overnight?

    Something does not compute.

    Is there some sort of anonymizer on this article? This is ot the first post about Brian, yet I'm sure the name was Philip on my article....

  • Nobody (unregistered) in reply to nick
    nick:
    TRWTF is that the server used windows.

    Once you have got a few admin job where the personal require active directory and permission settings and other stuff only windows handle (not even SAmba) you will have understood that for all what windows did wrong, there are some functionality that people think are very valuable and are not available under linux/unix.

    Most of the time I use linux/unix/irix whatever X is fit for the job. But sometime the requirement FORCE to use a window server.

Leave a comment on “Abusing the FTP”

Log In or post as a guest

Replying to comment #:

« Return to Article