Jump to content

Horrifying...


RogueHart

Recommended Posts

i went to the career center lately and sat down to do some research on the computer.

no firewall. no password on the router. WEP encryption (didnt need it anyway the password was the phone number). no blocks on ANYTHING on the computer. no locking you to the browser. nothing. it was horrible. i could have half the town's lives in my hands in a matter of minutes. and i could have done horrible things. they had no locks on anything so i could have setup a telnet or ssh server without any problem (i was able to enable the built in iis services)

and the really bad thing is. when i offered my service (cheap too. $20 an hour on an as needed basis. mainly because i dont have any certs so low price is about all that gets me a job) they said they have a full time in house IT specialist.......

this is just horrifying to me. I'm just glad i never gave them any real information (i just wanted to see if there were any openings around) because it would have been laid out on the table for anyone with a brain.

Link to comment
Share on other sites

Thing is, there are tons of places that offer computer access, and have NO security in place whatsoever, let alone WEP. The person in charge of their IT department should be castrated, fed his own balls, then fired. No excuse in this day an age for this sort of practice and ignorance.

Places like that, people often fill out important things, like for jobs, that require SS#'s, DOB, Address, etc, etc. If its all accessible over wifi (and even MITM'ed via SSL Strip, ARP, etc), then that is a huge issue, because identity theft could be rampant, if not already happening from that one location. If you found this hole, then I'm sure many others have, and some may purposely not told anyone for their own personal use and abuse. Not everyone is as honest as you trying to let them know their lack of security.

Link to comment
Share on other sites

Thing is, there are tons of places that offer computer access, and have NO security in place whatsoever, let alone WEP. The person in charge of their IT department should be castrated, fed his own balls, then fired. No excuse in this day an age for this sort of practice and ignorance.

Places like that, people often fill out important things, like for jobs, that require SS#'s, DOB, Address, etc, etc. If its all accessible over wifi (and even MITM'ed via SSL Strip, ARP, etc), then that is a huge issue, because identity theft could be rampant, if not already happening from that one location. If you found this hole, then I'm sure many others have, and some may purposely not told anyone for their own personal use and abuse. Not everyone is as honest as you trying to let them know their lack of security.

its like that in several different businesses but this one worried me because its a state funded agency with stations all across TN. hundreds of people put in their personal information at each place. im not sure if its all accessible via wifi or if its all hardcopy but either way this is still a very bad thing.

Link to comment
Share on other sites

What I meant was if you cna access their network via Wifi, then you could pivot off the machines on the network, attack them for user information, etc, all from the wireless network. As far as being connected to other stations across the state, while they may be secured, if even one of the machines was compromised and had access to the inner network, that is potentially a way up the food chain to the rest of the network.

Link to comment
Share on other sites

What I meant was if you cna access their network via Wifi, then you could pivot off the machines on the network, attack them for user information, etc, all from the wireless network. As far as being connected to other stations across the state, while they may be secured, if even one of the machines was compromised and had access to the inner network, that is potentially a way up the food chain to the rest of the network.

Who needs network security when it costs extra money? But I'll be god damned if it isn't illegal for companies and organizations to leave paperwork with personal information outside of a locked cabinet when it isn't needed!

Link to comment
Share on other sites

Who needs network security when it costs extra money? But I'll be god damned if it isn't illegal for companies and organizations to leave paperwork with personal information outside of a locked cabinet when it isn't needed!

whats really a crime is these pricks passing themselves off as IT professionals and surfing facebook all day...

Link to comment
Share on other sites

whats really a crime is these pricks passing themselves off as IT professionals and surfing facebook all day...

I am an IT professional and I never waste my time with useless websites like Facebook. I always try to keep myself as much as updated as possible.

Secondly, if I was at the convention center you were, I would have crashed their network and taught them a lesson, of never hiring someone who doesn't know how to do their job.

And then I would teach that so called in house IT specialist, the real truth of security.

Edited by Infiltrator
Link to comment
Share on other sites

I think part of the problem is the abundance of relatively straight-forward certifications and organisations who don't know what they are.

Their IT Guy could have been a Microsoft Certified Professional, however the only exam he did was 70-270 which only teaches the basics of XP (I don't even think it cover's how to turn the Firewall on).

So when he went to interview for the job, it could have been a person who wasn't very computer literate, so Microsoft Certified Professional sounded good.

Link to comment
Share on other sites

I suppose I see things a little differently. As a local government "employee" I see a lot of people who are directed to provide service and information to the public using little or no budget to do so. Some crackhead comes in to the employment office to try to get a job (maybe, but who knows) so they can keep unemployment benefits...you cannot really deny them the service you are obligated to offer, even if you cannot afford to do it correctly. Just wait until all of this regulation hits the healthcare fields in the US....cannot afford to provide surgeries right, so we take shortcuts and quit cleaning tools, etc.. The point is, it may not be that the IT specialist is knowingly doing anything wrong, or may be doing exactly what he/she was told to do in order to keep their job. How do we know what all the internet facing kiosk machine can see? Maybe they can only see each other and the internet, maybe not even that. Would I enter PII on it? Definitely not, nor any public machine, but each to their own. Security efforts must be related to risk and target value. Why would an organization spend $50k to protect something only worth $25k (litigation included)? If they have nothing to protect, they would likely not do so, especially in business? Everything comes back to money, unfortunately.

Sorry, I will hop off my soap box now.

Link to comment
Share on other sites

I think part of the problem is the abundance of relatively straight-forward certifications and organisations who don't know what they are.

Their IT Guy could have been a Microsoft Certified Professional, however the only exam he did was 70-270 which only teaches the basics of XP (I don't even think it cover's how to turn the Firewall on).

So when he went to interview for the job, it could have been a person who wasn't very computer literate, so Microsoft Certified Professional sounded good.

I think its more likely their IT guy is probably just someone who works there and was nominated to take care of the machines in the event something stops working(if they could even do that). Even if they only had an MCP, most people whom have at least that much capacity to pass the XP exam (which is actually harder than the Vista exam) should know a little about networking, and in general, how bad it is to use WEP. Hell, there are high school kids who know better than to use WEP, so its more than likely some old fart who isn't really tech savvy.

Thing is, if they knew enough to put WEP on, they should know enough to put on WPA at a minimum. Unless they got some really old hardware and the router doesn't support WPA/WPA2. Thats still sad.

Link to comment
Share on other sites

Where I "used to" work, the MS IT mgmt were paranoid as sin. If you knew linux and were good at it, you were silent branded as a hacker and marked for termination.

I would prosecute those bastards, just because I know Linux and no else in the company does, it doesn't given them the right to classify me as hacker/criminal.

Link to comment
Share on other sites

I suppose I see things a little differently. As a local government "employee" I see a lot of people who are directed to provide service and information to the public using little or no budget to do so. Some crackhead comes in to the employment office to try to get a job (maybe, but who knows) so they can keep unemployment benefits...you cannot really deny them the service you are obligated to offer, even if you cannot afford to do it correctly. Just wait until all of this regulation hits the healthcare fields in the US....cannot afford to provide surgeries right, so we take shortcuts and quit cleaning tools, etc.. The point is, it may not be that the IT specialist is knowingly doing anything wrong, or may be doing exactly what he/she was told to do in order to keep their job. How do we know what all the internet facing kiosk machine can see? Maybe they can only see each other and the internet, maybe not even that. Would I enter PII on it? Definitely not, nor any public machine, but each to their own. Security efforts must be related to risk and target value. Why would an organization spend $50k to protect something only worth $25k (litigation included)? If they have nothing to protect, they would likely not do so, especially in business? Everything comes back to money, unfortunately.

Sorry, I will hop off my soap box now.

Thing is,I don't see this as a budget issue. Its more an ignorance, or even lazy issue. To walk over and spend five minutes setting up WPA2 on their router and desktops in the office doesn't cost them any additional money to secure it, so long as their current router supports WPA2 (and if it doesn't for christ sake a new router might cost them at most $100 to upgrade to one that can do WPA2). Now, if the desktops themselves don't support it, thats another issue, but even still, one that deserves the time and money to fix, when they put themselves and the general public at large whom use their network at risk.

Edited by digip
Link to comment
Share on other sites

I think its more likely their IT guy is probably just someone who works there and was nominated to take care of the machines in the event something stops working(if they could even do that). Even if they only had an MCP, most people whom have at least that much capacity to pass the XP exam (which is actually harder than the Vista exam) should know a little about networking, and in general, how bad it is to use WEP. Hell, there are high school kids who know better than to use WEP, so its more than likely some old fart who isn't really tech savvy.

Thing is, if they knew enough to put WEP on, they should know enough to put on WPA at a minimum. Unless they got some really old hardware and the router doesn't support WPA/WPA2. Thats still sad.

We don't really know how tech savvy that guys really is, he could be just a young tech that just got the job, or like you said an old fart. But even if the router is old, it could still be supported by firmwares like DD-WRT or tomato.

But again, it comes down to how tech savvy that so called specialist is.

Link to comment
Share on other sites

My whole complaint is that its a state facility which allows people to use it to apply for work, etc, where their personal info, such as SS#, are exposed over wifi. WEP != security!!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...