- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Well, it takes a bit of kernel hacking, but...
Admin
Mind you, I think your suggestion is more plausible...
Admin
You know, the funny thing is that I'm positive this is very analogous to the train of thought that people follow when discovering bugs like this. They say, "Wait - what happens if I do X?" Then they do X, and it turns out they suddenly have full administrative rights. Now they're hackers.
And when they get tried for, say, substituting an administrator's name in an authentication token for their own, there's always a conversation with the prosecutor that goes like this:
"So, you altered the so-called authentication token to use someone else's name."
"Right."
"Whose?"
"Mr. Administrator's."
"So, you knowingly and deliberately altered your system credentials to appear to be an administrator. And why would you do something like that?"
At this point, the guy, who was really just screwing around, says the only thing he can think of: "I just wanted to see what what happen."
10-20 in Federal Pound Me In the Ass Prison.
Admin
no. You saw the film Hackers. FTW!!! Thanks for the laugh
Admin
You mean like the comic book girl with the power of... umm... squirrels? Who somehow took out major comic villains with a crack team of squirrels, carried a "nut sack" with treats for her friends (no, really...) and had some of the most powerful lame powers in the history of lame comic powers as I learned from Wikipedia the other day?
So, is she a nut case?
Admin
"Hey Marge, remember when we used to make out to this hymn?!"
Admin
I witnessed a similar situation years ago, only vengeful helpdesk drone succeeded in getting the hapless Java Programmer fired. I think they may have fixed the hole, who knows? I wasn't about to test it at that point.
Admin
Just to be a weenie...
I see logs all the time. Chances are, unless someone goes looking for something, it will never be noticed. Information overload. F.B. had nothing to worry about.
On another note, reporting such things has never done me any good. In most cases, I'm called paranoid. It won't happen. I hate to be proven right in those cases, but almost always am. Laws of probability tell me the rest will come true eventually. Shoot. If I can figure out the hack while fiddling around at lunch, I won't put it past anyone who really wants to get in.
Admin
Herbert is a WTF. Too bad that WTFs are real
Admin
I've had the exact same experience working for a government department. Accidentally found myself staring at the holy of holies (the C:\ drive of our office's server, the one protected by an alarmed steel door), so wrote up an email explaining how I had ended up there, fired it off to the Chief Technology Officer, who promptly replied along the lines of "Do your job instead of trying to hack our server", which he kindly cc'ed to my manager, who was luckily a good and patient man.
Moral of the story is: Get to know your CTO before reporting flaws, some of them take it as a personal insult.
Admin
Bad analogies aside, he was pretty lucky. As an altruistic person myself, I might have done the same thing. On the one hand, obviously if they have audit trails and they see your unauthorized access, that would be bad for you if you didn't report it. But if you do report it and they fire you for "HAXZORING their systemz", that sucks too. I'd probably anonymously tip off management and explain what happened. If they want to find out who you are and punish you, they might be able to or they might not. But at least you responsibly disclosed the issue and tried to stay anonymous.
Admin
I once discovered a vulnerability in a very secure system - you could spoof email. So I posed the scenario up the chain, and naturally, it was all kept hush-hush, and nothing done about it.
Sweet.
So imagine, some person using that software, and pretending to be the CEO of his/her company just to mess with somebody's head - like a nice email to the Help Desk Martinet asking for his/her immediate resignation.
Now who would ever do something like that? (said they)
Anyway, I don't work there any more. (I resigned) It's just a matter of time before somebody sues them.
Admin
Nope..
Lesson Learned: Always, always raise issues with appropriate parties.
I'm sorry but I just don't trust Helpdesk types in IT. Too many believe they are God. Rather than raise such a fault with them (and face the rather predictable results) I usually try and take it as high as possible without stepping too much on peoples toes, or if that isn't possible, raise it as an issue with my manager and let THEM raise it with appropriate parties using their authority as leverage.
Admin
Not even that. It isn't trespassing unless they post something telling you to go away or somebody tells you to leave and you don't. It's just entering.
Admin
And then Joe User's lawyer points out to the judge that the next thing Joe did was inform the IT staff, and that nothing else was done by Joe User.
Joe User's lawyer then points out that the correct metaphor is not walking into a building and then being "caught" and explaining "I found a key", but of finding the key on the door, seeing it opened the door, and calling Security from outside.
Then the Judge asks the company's lawyer why they're wasting the court's time. No prison time. No conviction. Company might even be paying his legal costs - if it even went that far. I find it unlikely that the prosecutor would even press charges, unless they lied to him about what happened.
Admin
If I discovered a security issue in my company, I would send an email to security-officer@mycompany. That mailbox is read by a specially trained person who knows how to handle such things. He is required to never disclose who reported any security issue, just get the problem fixed.
Ah, it's nice to work in a ISO/IEC 27001 certified company. :)
Admin
How about this? I once encountered a web site http://foo.bar/ that presented you with a login screen at which you'd enter your numeric user ID and your password. UIDs were assigned sequentially, which is obvious since mine was a three-digit number. If I entered my password correctly, I was taken to http://foo.bar/whatever.cfm?uid=123 where 123 is my UID.
No cookies.
So I tried changing the UID right in the URL, and it let me be another user, no questions asked! I tried 0 and found it to be the author of the web site. I contacted him and let him know there was a problem, and...
He thanked me and fixed it right away. And he thanked me again a couple times over the years since then.
This was the online homework site for an electrical engineering course I took, and the author was the professor who also happened to dabble in ColdFusion back when it was still an Allaire product.
It wasn't possible to do anything really malicious with that particular web site. The worst you could do was solve another kid's homework problems for him, but you don't need access to the web site for that.
Does this even qualify as security by obscurity? It's neither secure nor obscure, especially since ?uid= is the only thing in the URL, and all nonnegative UIDs less than your own are valid.
Admin
F.B. is lucky he still has a job... by the mercy of the CIO, who obviously believes in second chances. There really is no excuse for reverse engineering the security measures of the corporate intranet. And who knows who else he told how to hack into that company's system.
The real WTF is that F.B. still has a job instead of going to prison for corporate espionage.
The help desk tech did the right thing, so I don't understand why people are criticizing him. He's the only one in this story with ethics.
Admin
Although, to be fair, it's more likely to go that far if someone already has a grudge against poor Joe User.
So, what you're saying is that the likely worst outcome isn't prison, it's just immediate loss of job (probably for "gross misconduct" or perhaps just "hacking", should anyone ask - which would be a problem for getting another similar job) and not much chance of getting a good reference? Wow. Um. That's, er, nice, I guess. Doesn't sound like a good deal to me, though. (Many people here live in right-to-work places, which means their right to work at a company can disapear if they look at the CEO in a funny way, and often the CEO doesn't entirely understand hacking beyond knowing that it's "bad".)The lesson is still simple: keep your mouth shut unless you're sufficiently cetain of your employer to risk your entire career in the name of doing something ("analysing security flaws") that isn't in your job description. If you have a good boss then you're fine.
And definately keep your hands off the cookies - you know the system is crap, but unless you're paid to care there's often no sense in caring, or taking the risk.
Admin
I, as a system administrator, use analysis tools to generate reports of administrative logins periodically. On a server that admin rarely use his credentials to login (we all knows server admins usually login with "administrator" account, not their own accounts, right?) that could be quite obvious.
P.S.: Then again, anyone who cares to run such analysis tools probably won't use system's "administrator" account all the times, I think...
Admin
Maybe it's just me, but the WTF here is that F.B. just decided to see what would happen on his own. Just because I notice a window is open doesn't give me any right to crawl though it. I would, however, be justified in going to the front door and announcing the possibility that someone could.
While I agree that the CIO did the right thing in not punishing F.B., he would have been well within his rights to do so. Why the administrator's user name, why not someone with less permissions than himself? He could have verified his suspicions that way, but he chose a way that could make him feel superior, clever, like a hacker - whatever.
Unless you are paid to find security holes like the one F.B. found, or you have very clear permission, do yourself a favor and never try to increase your priveledges. You are asking for trouble if you do.
Admin
Admin
My colleague and I accidentally discovered the same thing on our work email system.
We were mucking around with the SMTP engine in .NET, and found out that you could spoof the from address quite easily and our email server would just accept it. Suddenly I could be the CEO sending mails to people.
Luckily, we were on good terms with the IT guy, so we sent him a mail from himself detailing the problem :-P He took it well and closed the hole.
Admin
The real question here is why does IT have access to everything? Why do they need access to HR and accounting data? They don't, and shouldn't have it.
Admin
Yeah, you can also send emails from an email address that doesn't even exist on the mail server. Just try telneting to your mail server and typing in the SMTP commands. It's fun.
Admin
My friends know me as "Squirrel".
Contrary to what they say, I am not a practical or willing swimsuit replacement.
Admin
But tightening your assigned access permissions is arguably not a security hole. Whereas widening them obviously is.
Admin
Only on a SMTP server that hasn't been tied down from acting as a mail relay. Any admin letting that door open should indeed be fired.
Admin
Was it your idea to resign, or did you get an email from the CEO asking you to?
Admin
Many email clients let you change the 'From' address anyway. I use http://fastmail.fm and I can happily set my 'From' address to anything I like.
This isn't really the same as a true open-relay, as you still have to be an authenticated user to do it. Open-relay implies that anyone, including naughty spammers, can connect to the SMTP port and send email.
Admin
A more close to home analogy would be; F.B. walks by a window, it looks like it isnt closed properly so he goes up and pokes it, sure enough, it swings wide open, and there is a ladder below the window to help getting inside. At this point F.B. goes in through the front door and tells the correct person about the open window and ladder below it. ;) Now, would that guy really be inf ault for poking the window to make sure it wasnt closed?
Admin
I think you're absolutely right, he should have kept the idea to himself and let come to light on its own when someone else abuses it to steal employee SSNs or corporate trade secrets. That is truly a model of ethical behavior right there.
Admin
A while back, I worked for a (fairly large) place where the security people had the attitude "we know more than you". The person in charge got into it one day with my boss who called me in to explain what I was doing to comply with certain rules.
I explained that we were doing nothing because:
The security admin challenged me to prove her wrong. I leaned across my boss' desk, typed a few commands, and sent an email, from my boss' email client, as/from the head of security, to the firm at large, explaining what I did, at whose urging, from where, and when, and challenging the security folks to prove it.
About 2 minutes later, the head of security gets a page and mumbles something just shy of "wtf?!", and the senior security developer comes over. He takes the machine, and of course he can't find anything because I deleted the log entries. He asked me how I did it; I told him and he admitted (to his boss) that as long as I had admin rights, the "security" was worthless.
We got some nasty looks and a day or so later, everyone got an email from security explaining the hole, and that we "just shouldn't do that".
It's a running joke to this day.
Admin
That's the trouble: Most of the time when people assume bad intent, the problem is just ignorance, carelessness or lack of communication.
All of those can be dealt with easily enough, but when people jump to conclusions of evil intent, things can very quickly get out of hand.
Admin
No, actually my memory of that factoid is from college (BSEE 1987). The movie came later (1992).
Crash Magnet CAPTCHA: smile
Admin
Let's say I leave my house in a hurry and forget to lock the door. My friend swings by later and knocks on the door. Since it didn't close all the way earlier, the door swings open a couple inches. He leans his head in and calls my name. Realizing I'm not there, he locks the door for me and leaves. After he relays this story to me later, I have him arrested for breaking and entering.
Admin
I've been lucky in that any systems I've "poked" at were secure, or at least reasonably so, but I had a boss who wasn't so lucky.
As he designed e-commerce websites for a living, he knew about SQL injection and how to prevent it. One day he discovered that a different e-commerce design company didn't know about it and was happily producing websites for clients with a ragingly huge hole... a simple insert in the login page and lo', you now have logged in as the first user in the database, which was always the admin. He contacted the company and let them know and they told him to sod off. So he tried the next best thing... letting the businesses with e-commerce sites designed by this company that they had a big glaring hole in their page and vandels could easily get in.
This went on for about a year. Results were mixed, either people ignored him or thanked him profusely. He never asked to be paid, but he did receive gifts from some of the businesses (small things under $50 or so).
The one day he contacted a company that had just put up their site from this web design place. Instead of thanking him (at best) or ignoring him (at worst), they pressed charges against him. Seems that around the time he informed them of the hole, they had a database crash and lost data.
He showed me the evidence against him... munged emails, incomplete email headers, a database crash that didn't appear to have anything to do with SQL injection, nothing that really stood against him. But an IT/tech ignorant defense lawyer and a judge who didn't understand the little details and who wanted to make an example out of a "hacker" resulted in a charge of "mischief against data" and it stuck. He was banned from using a computer for two years, except for work purposes and only in a work environment, plus tonnes of community service.
The websites he found weren't even for big-name companies or anything... just small local businesses around Canada and the US. Someone with a bug up their ass though needed someone to blame when their system took a dump and left them scrambling. Why not the "hacker" who simply let them know they left their door unlocked?
After all this went down, he stopped informing people... and to this day there are still websites being put out by some companies that are vulnerable and likely being mined for information from people who know how to "hack" the login.
-- Seejay
Admin
Back in my SQA days at a relatively small network gear manufacturer it was very late one night (or early in the morning) and I was using one of our servers to run tests on some new network gear. In trying various things I stumbled across a way of using one of our systems to be able to switch to any known user.
After waking up considerably more than I had been, checking to make sure what I found was what it looked like - I could switch to whatever valid user I wanted and have complete access to whatever the user did - I did the only reasonable thing one would think of doing at 04:30 - I switched to the head SysAdmin's account and fired off an email to him stating that he might want to talk to me in the morning. Then I went home to catch a few z's.
Needless to say after reading an email from himself to himself that he did not write and noting the text file in his home dir that I had created with a similar message (testing) I was greated with a rather "Hey, we need to talk" as I walked past his office in the morning.
Since "Bob" was a great SysAdmin and decent guy all went well. That event started me down the road to my present SysAdmin job. Lucky for me there are decent companies and folks out there.
Admin
Something about a "Software Quality Research Lab" if memory serves. A little nutty, but all the best geek girls are.
Admin
Heck, mixing up your scalar and list contexts in perl can get you in trouble.
Admin
Any guesses as to how they fixed it?
ROT13 encoding of the name perhaps?
Admin
There exists a line between stumbling upon a potential hole and exploiting the hole. In this case, it was crossed.
Were I F.B., someone not specifically hired to hack the system and find holes, I would have stopped when I peeked at the cookie and said to management "hey, this cookie looks insecure, maybe you should look into it."
At that point, if something happens/happened I could both say "I told you so" and since I never exploited the hole they can't say "you hacked us" (without fabricating evidence of course).
Admin
In the words of a sign outside of the Savannah River Site: Security is everyone's business
Admin
True, but it's hard to do in practice. Unless the data storage for the application is encrypted, root has access to everything. Or the administrator could boot to single user mode. When you have physical access to a machine, you own it.
Admin
This has come up quite a few times, but unfortunately there are always situations where I need to do my job (like transferring data from one server to another, for inst).
It's a matter of trust, and I appreciate some folks may not be comfortable with it, but as far as I'm concerned if I go poking around in someone else's stuff for my own personal jollies I deserve to be caught, and deserve what's coming to me. I obviously also have nothing better to be doing.
Admin
Well, based on the other experiences, they are likely to be told "just don't go it" and the boss might even write a rule on the wall illustrating exactly what you "must not" do. Years later he would still run across the same plain-text name in his cookie and shake his head in disgrace.
There are also a couple of reinforcing issues here:
When someone sees what looks like an obvious security flaw, that can easily be proven in seconds, the first intuition of a curious person is to just try it - no point worrying about it if you're wrong.
Every second, minute, hour, day, etc that the hole goes untested and unfixed is another chance for a real attack.
To the politically inexperienced it seems counter-intuitive to spend hours or days ass-covering first, because it's obvious that there is an altruistic intent. And what can you define as enough ass-covering? I recall that even contracted security probers have been accused of hacking.
They probably already know that their co-workers and boss are computer illiterate to the point where even discussing this will only result in a mental breakdown.
In the situations illustrated here you are only accessing publicly visible/available data/functions - can you be accused of compromising security when there actually was none to begin with? There was only a facade impersonating security. If you find a site on a random URL are you a hacker just because you weren't supposed to know it's there?
Every company should have an amnesty, even rewards, for people who find these issues without going on to execute any malicious commands. How else will you find the holes and get them fixed? I hardly think MS tests their security perfectly - people leak flaws to -force- them to close the gaps that would otherwise be ignored.
Admin
Can you provide a cite? I'd like to see that one.
Admin
Sounds like you need hotter friends.
Admin
Thomas Gabriel: Hey, I found this security bug in FBI's and NSA backup system, you better make offsite backups.
NSA: no, f*** off
Thomas Gabriel: Ok, if you don't respect security reports, I am annoyed and I will disappear underground, gather terrorists around me, including hot chicks with hacking abilities, hack the FBI and NSA, destroy the nations energy and telecommunications, make a firesale, and only Bruce Willis can stop me.
NSA: whatever.
(taken from this recent movie called die hard 4)
Admin
I did something similar in my previous job, some 10 years ago. I worked at a help desk in a large ISP and our server room was near a training room where interested customers received a fast Internet usage (browsing, e-mail etc.) training, with coffee break. One day, I happened to be there talking about a problem in the intranet with the sysadmin assistant, when he left the room to eat something in the coffee break table. The thing is: he left with his terminal logged in in the root account. When he came back, I told him (very politely, IMHO) that doing this was insecure, for I might have done whatever I wanted at the prompt. Result: he talked to his boss (the actual sysadmin), who asked my boss to fire me.
Luckily, my boss refused. Unluckily, 3 months later my boss' boss told him to fire "that hacker" (me), mentioning this incident in a very distorted way as one of the reasons. The other reasons? My findings (by blind luck, or lack thereof, mind you) of other security holes, what in his eyes amounted to a "negative aptitude" towards the company.
Captcha: ninjas