• MM (unregistered) in reply to Thomas
    Thomas:
    I'm curious with regards to the Computer Misuse Act. Suppose I create a web page with textboxes labeled for username and password and lower down the page I show the username and password. In addition, I write something on the page about not entering if you are not authorized. If I login, am I breaking the law? If so, then why have the login at all? Why not simply say something to the effect of "If you click this link and are not authorized, you are breaking the law." Why even bother with the login?
    That's how a lot of adult websites keep underage viewers out - with a "click here only if you're authorized to" link. If someone goes through who isn't authorized, it's their own fault for lying, and not the website's fault. It's not really for security so much as a shifting of blame.
  • MM (unregistered) in reply to Anonymous
    Anonymous:
    Felix Lockhart:
    What I send in this comment has probably been said several times throughout this discussion, I didn't realize when I posted it that there were more comments than what was on the initial page.
    Aaaah, so that's the problem.

    Voting for removal of "reply" button on featured comments.

    Seconded. This isn't the only thread that's gotten bogged down with duplicate responses from people who only see the featured comments.

  • (cs)

    Well... It's still security by obscurity, but at least it's a bit better.

    Hey FederalSuppliers guys, here's an advice for you: Go buy an internet security 101 book before somebody meaner and badder than the good guys here punch a hole in your security again and does some real damage.

  • KM (unregistered)

    So the new password is listing, found this out by using

    google to search

    http://www.federalsuppliers.com/warning.html

    then using the view similar pages link

    So, its not my fault that google is a gateway tool

  • anon (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    "Should HAVE protected your info," not "should OF."

  • kormoc (unregistered) in reply to KM

    Actually it's not, that's in the clear under Procurement, and then click on the index link.

    What's amusing is the real password is test.

    test.html redirects to http://www.federalsuppliersguide.net/ where all their data is in the clear.

  • (cs) in reply to Alcari

    Actually, the new login secures the whole web, or at least all addresses that end with .html! Even more, it assigns an own password to every .html page on the web! Brillant!

    Alcari:
    I just wonder how often they had to tell their "agents" about the new changes to the "security" login.
    I wonder how they described this incident to their agents. Maybe something like "A gang of Internet Hackers, supposedly from the organization known as "Anonymous", hacked our servers, therefor we had to change the password." ---- "Oh nose, they did it again! Here's the new login data." ---- "Oh dear, such brillant hackers. Here, the new login data." ---- "Sorry, we had to take the site down because of recent attacks. We are working on a better protection system." ---- "Gladly, one of the hackers has posted a better solution. Let this be his fate. The new password is blabla."

    And what their agents must have thought: "WhoTF are you? Oh.... whatever." - "WTF, again? Lulz." - "WHATTHE- nevermind." - "....... OMG" - "WhoTF cares?"

  • Security101 (unregistered)

    They also left their database open with unsanatized inputs on page: http://www.federalsuppliers.com/test.html ENJOY!

  • Captain Obvious (unregistered)

    Here's my take on TRWTF. According to the article, Federal Suppliers Guide states that their guide is used EXCLUSIVELY by the gub'ment. They're hoping you misinterpret that to mean the government uses their guide exclusively - as in that's the only place they go to find these products and services. That would be insane. However, by "securing" these ads and only providing access to government agencies they can honestly say that they ARE USED (passive voice here) exclusively by the government.

  • Security101 (unregistered) in reply to Captain Obvious

    FSG uses their own service to hire web-developers, trust me I work for the government, I know how shitty the contractors are roflmao!

  • Captain Obvious (unregistered) in reply to Rawr
    Rawr:
    <!-- <b>// **** You WILL NOT get access without a valid password ****</b> var suffix = ".html" <p><b>// **** javascript:IPcatch:subject?Source_code_violator ****</b> var pass_msg = &quot;Password: &quot;;</p> </div></BLOCKQUOTE> <p>I think I'm going to adopt this style in my work. // **** This code WILL NOT crash **** // **** Users WILL NOT complain **** // **** Boss WILL ISSUE bonus **** // **** javascript:Execute:subject?Childish_made_up_code</p>
  • lank (unregistered)

    Dang, now you need the password to get in

    // **** You WILL NOT get access without a valid password **** var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Password: ";

    function go_there() { location.href = document.pass_form.pass.value + suffix; }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'

    • pass_msg + '<input type="password" name="pass" size="20" value="">'
    • ' <input type="button" value="Verify" onClick="go_there()"></form>');
  • Bob (unregistered)

    Dang, no robots.txt either, google doesnt have the files either :-(

  • Meredith (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    On the off-chance that this is a legitimate employee from FSG, I just want to say: it doesn't matter what YOU tell us. What matters is what your CLIENTS tell us. Regardless of how the client information was obtained, the fact is that the clients have been unsatisfied with your service. Instead of complaining about how "evil hackers" are hurting your service, how about improving your service so your current clients will be proud to recommend you to others?

  • Sean (unregistered)

    Who needs a password

    http://www.federalsuppliersguide.net

    Search to your hearts content (about 3 seconds)

  • Lorenzo (unregistered) in reply to Smash

    The password is "listing".

  • hacking haero (unregistered)

    Currently seen on http://www.federalsuppliers.com/warning.html

    <!--
    // **** You WILL NOT get access without a valid password ****
    var suffix = ".html"
    
    // **** javascript:IPcatch:subject?Source_code_violator ****
    var pass_msg = "Password: ";
    
    function go_there() {
     location.href = document.pass_form.pass.value + suffix;
    }
    
    document.write('<form name="pass_form" onSubmit="go_there();return false">'
     + pass_msg + '<input type="password" name="pass" size="20" value="">'
     + '&nbsp;<input type="button" value="Verify" onClick="go_there()"></form>');
    // -->
    

    Which is a very fandangled way of doing a user-supplied redirect.

    Sure enough, entering "test" forwards you to http://www.federalsuppliers.com/test.html where all ads can be searched.

    Captcha: haero

  • DC (unregistered) in reply to Lorenzo
    Lorenzo:
    The password is "listing".

    Did you email them?!

  • Micky (unregistered) in reply to Lorenzo
    Lorenzo:
    The password is "listing".

    No it's not, it's 'test'

    Hmm, I just tried searching, and got this error

    Your search did not match any ads.

    Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists (select 1 from dbimg_ImageAttributeValue iav where iav.a

    I was going to say 'at least they sanitise their SQL inputs', but I'm not so sure they do now - with an SQL statement like that (even allowing for truncation), I wonder if anyone there has got a clue what they're doing.

    Why would anyone do 'select 1 from

    where <anything>'?? Wouldn't just 'select 1' do? Does he really mean 'select * from ... LIMIT 1'?

    (This reminds me of the Tim Tang Test...)

  • jimmy (unregistered) in reply to Micky
    Micky:
    Lorenzo:
    The password is "listing".

    No it's not, it's 'test'

    Hmm, I just tried searching, and got this error

    Your search did not match any ads.

    Could not find images: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'exists (select 1 from dbimg_ImageAttributeValue iav where iav.a

    I was going to say 'at least they sanitise their SQL inputs', but I'm not so sure they do now - with an SQL statement like that (even allowing for truncation), I wonder if anyone there has got a clue what they're doing.

    Why would anyone do 'select 1 from

    where <anything>'?? Wouldn't just 'select 1' do? Does he really mean 'select * from ... LIMIT 1'?

    (This reminds me of the Tim Tang Test...)

    Try searching with no parameters. Only way I got it to work. Of course, it's not worth more than about 3 seconds of trying, so I did not do an exhaustive test.

    (danm figners keep hittign teh wrogn kesy)

  • Jussi (unregistered) in reply to Smash

    I just love the way the "fixed" it. It redicts to page [YourPassword].html .

  • BassBone (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Grammar is your friend, mmmkay. Why the government should trust you is beyond me.

  • BassBone (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    thank you hackers for trying to destroy federal suppliers guides reputation. i have worked here with my wife for 10 years now and have helped hundreds of clients obtain federal government work. i have 4 children and though you don't care you are hurting the feelings of many good employees and customers by your immature actions. sorry our site wasn't protected to your standards however all of you are being reported to the appropriate authorities as we have your information too. you should of protected your info a little better. not only is the company legit we actually have held a 5 year GSA contract with the federal government and one of my best clients just broke 500,000 dollars in federal sales directly related to the GSA contract we got them. i am proud to work here and help small businesses obtain government workand also help federal buyers locate qualified small businesses to do business with. if you not interested in government work or our services of helping small businesses navigate the federal market fine but please don't slander the company. its rude, your comments are not truthful we are not a scam and i hope someday you realize that all you have to do is check us out with dun & bradstreet or GSA or the florida local and state chambers of commerce to see that what we do is real and federal buyers do request both our hardcopy guides and the online directory as well.

    Grammar is your friend, mmmkay. Why the government should trust you is beyond me.

  • Project2501a (unregistered) in reply to Smash

    // **** You WILL NOT get access without a valid password **** var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Password: ";

    function go_there() { location.href = document.pass_form.pass.value + suffix; }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'

    • pass_msg + '<input type="password" name="pass" size="20" value="">'
    • ' <input type="button" value="Verify" onClick="go_there()"></form>');

    priceless.

  • trees (unregistered) in reply to Project2501a

    listing is the password, takes you to the original page.

    the test.html page is just a test page the rookie webmaster has left up!

    Theres probably index2.html, etc still about aswell.

    This site makes me cry :'(

  • (cs) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT
    FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT:
    {...} as we have your information too. {...}

    Idle threat. You may have our information, but seeing your JS skillz, i doubt you know where to look.

    If you find anyone who does, ask him to fix your security for you while he's at it.

  • RichardD (unregistered)

    Sounds a lot like some of the "charity publishing" scams operating out of Merseyside, England for the last few years. Small businesses get cold-called and invited to make a small donation to a charity in return for advertising space on wallplanners, diaries or booklets to be distributed in the community. The charities never see more than a few pennies, the publications don't exist, and the crooks run off with your money.

    Only difference is, this scam is online, and hopefully the US authorities take it more seriously than the UK ones.

  • More (unregistered) in reply to lank
    lank:
    Dang, now you need the password to get in

    // **** You WILL NOT get access without a valid password **** var suffix = ".html"

    // **** javascript:IPcatch:subject?Source_code_violator **** var pass_msg = "Password: ";

    function go_there() { location.href = document.pass_form.pass.value + suffix; }

    document.write('<form name="pass_form" onSubmit="go_there();return false">'

    • pass_msg + '<input type="password" name="pass" size="20" value="">'
    • ' <input type="button" value="Verify" onClick="go_there()"></form>');

    Don't worry... you can still get in using a google search.

    That way you don't have to "hack" the site by using the password "listing" that someone was kind enough to find for us.

  • IByte (unregistered) in reply to KM
    KM:
    So the new password is listing, found this out by using

    google to search

    http://www.federalsuppliers.com/warning.html

    then using the view similar pages link

    So, its not my fault that google is a gateway tool

    Yes, or by using Google's "site:" keyword.

    So will they sue Google for breaching their "security"? ;-D

  • CipherChaos (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    It might help if you actually knew how to program... these people are actually doing you a favor.

  • Jesus (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Reading source code isint hacking thats like putting the combo to a safe on the safe then sitting it in the middle of a park- then yelling THIEF! when someone opens it.

    "though you don't care you are hurting the feelings of many good employees and customers by your immature actions."

    You need to find new employees if thats the best password mechanism they can accomplish to produce.

  • Boob (unregistered)

    http://www.federalsuppliersguide.net/?_name=&_description=&_q1=&_q2=&_q3=&_orderBy=name

  • Mexi-Fry (unregistered)

    Checking the Script node under FireFox DOM Inspector for this stupid site. I thought you guys might get a kick out of this. It appears that they left some useful information on their 404 page. Of course... you have to HACK their site to read it... but oh well.

    <HTML> 2<HEAD> 3<TITLE>404 Not Found</TITLE> 4</HEAD> 5<BODY> 6<H1>Not Found</H1> 7The requested document was not found on this server. 8<P> 9<HR> 10<ADDRESS> 11Web Server at federalsuppliers.com 12</ADDRESS> 13</BODY> 14</HTML> 15 16<!-- 17 - Unfortunately, Microsoft has added a clever new 18 - "feature" to Internet Explorer. If the text of 19 - an error's message is "too small", specifically 20 - less than 512 bytes, Internet Explorer returns 21 - its own error message. You can turn that off, 22 - but it's pretty tricky to find switch called 23 - "smart error messages". That means, of course, 24 - that short error messages are censored by default. 25 - IIS always returns error messages that are long 26 - enough to make Internet Explorer happy. The 27 - workaround is pretty simple: pad the error 28 - message with a big comment like this to push it 29 - over the five hundred and twelve bytes minimum. 30 - Of course, that's exactly what you're reading 31 - right now. 32 -->

  • David (unregistered)

    I think the WTF now is that most of this is HTML. meaning somebody typed that entire list in a single file, and not SQL or something useful

  • Tristan (unregistered) in reply to More

    "listing" is for the index... but "gallery" gets even better.

  • Kevin Harris (unregistered)

    I was just randomly playing with their site and figured out a password to access the list. If you go to http://www.federalsuppliers.com/warning.html and use "test" as the password, it will give you full access. Let's see how long this will work.

    Kevin Harris http://www.thekevdog.com [email protected]

  • (cs) in reply to More
    More:
    That way you don't have to "hack" the site by using the password "listing" that someone was kind enough to find for us.
    Stop saying that, "listing" is as much of a password as "http://www.ccr.gov/index", as both these pages are linked to on the procurement page
  • Alba (unregistered)

    Try test and you're in:)

  • Jessica (unregistered)

    I wonder if this company is secretly managed by the city of <a href=http://www.centos.org/modules/news/article.php?storyid=127>Tuttle, Oklahoma?

  • Stiggy (unregistered)

    Login page now says

    This section of our website is currently undergoing maintenance. Please check back later or contact your FSG representative for assistance. . Please check back later or contact your FSG representative for assistance..
    http://www.federalsuppliers.com/gallery.html still works just fine, though.

    Somewhere in Florida, a 14-year old CEO's nephew is having a bad couple of days...

  • (cs)

    At least they're actively working on it.

    Anyone else noticing a larger than usual amount of spam being sent to your domain over the last few days?

  • The Dean (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Right.

    http://answers.yahoo.com/question/index?qid=20080221122622AAn21Qx

    Even the nimrods at Yahoo Answers know your company is a scam.

  • Dale Penguiculus (unregistered)

    That's a lot of traffic all the sudden!

    http://www.alexa.com/data/details/traffic_details/officers.federalsuppliers.com

  • Alcari (unregistered)

    http://www.federalsuppliers.com/warning.html

    Now showing:

    This section of our website is currently undergoing maintenance. Please check back later or contact your FSG representative for assistance. .

  • China (unregistered) in reply to FEDERAL SUPPLIERS GUIDE CUSTOMER SUPPORT

    Ha ha - 4 more yank kids starving to death. Just a few million more to go.

  • no name, thanks. (unregistered) in reply to LordOfThePigs
    LordOfThePigs:
    Well... It's still security by obscurity, but at least it's a bit better.

    Hey FederalSuppliers guys, here's an advice for you: Go buy an internet security 101 book before somebody meaner and badder than the good guys here punch a hole in your security again and does some real damage.

    It would be doubtful that this would be covered. Internet security authors assume that you're clever enough to turn the computer on before writing "secure" websites. FederalSuppliers obviously gets their mommies to turn the PC on for them.

  • (cs) in reply to Dale Penguiculus
    Dale Penguiculus:
    That's a lot of traffic all the sudden!
    Unfortunately, little of it going to be directed to their banner advertisements since these banner ads work like no other banner ads I've ever seen (i.e. they are not integrated with the content pages). Instead you need to click on the text "Check Out Our Banner Advertisers Here" before you even get to see those! Wtf?
  • Alcari (unregistered) in reply to mendel
    mendel:
    Dale Penguiculus:
    That's a lot of traffic all the sudden!
    Unfortunately, little of it going to be directed to their banner advertisements since these banner ads work like no other banner ads I've ever seen (i.e. they are not integrated with the content pages). Instead you need to click on the text "Check Out Our Banner Advertisers Here" before you even get to see those! Wtf?

    Well, at least it's visitor friendly, even if it hurts in the wallet.

  • Schnitzel (unregistered)

    Here's something interesting: I ran across this post in a computers forum, where a user asked about this exact code (the forum is in Hebrew, but you can see the code right there).

    This took me by surprise, so I performed a small Google search and found this script as an example in a few javascript teaching websites: http://www.javascriptkit.com/script/cut76.shtml http://www.2createawebsite.com/enhance/password-protect.html http://www.sitepoint.com/forums/showthread.php?p=677417

  • (cs)

    Great post - I wonder if anyone has similar stories about the Marcus Evans group, whose sales team appears to have taken the same training courses as these guys and has the same 'value add'? Or maybe it's the same company - sounds too similar.

Leave a comment on “So You Hacked Our Site!?”

Log In or post as a guest

Replying to comment #:

« Return to Article