The B3TA Detective Agency
Universalpsykopath tugs our coat and says: Tell us about your feats of deduction and the little mysteries you've solved. Alternatively, tell us about the simple, everyday things that mystified you for far too long.
( , Thu 13 Oct 2011, 12:52)
Universalpsykopath tugs our coat and says: Tell us about your feats of deduction and the little mysteries you've solved. Alternatively, tell us about the simple, everyday things that mystified you for far too long.
( , Thu 13 Oct 2011, 12:52)
« Go Back
Cyber-security
So the IT department at work has got a company of "legal hackers" to test the security of our website. As web manager, they contacted me to ask precisely where all the admin areas are, which parts of the site are password-protected, and then to supply them with a list of usernames and passwords so that they can access those areas and "test their security".
Perhaps I've missed something, but isn't that completely fucking retarded and ass-backwards?
( , Fri 14 Oct 2011, 17:03, 12 replies)
So the IT department at work has got a company of "legal hackers" to test the security of our website. As web manager, they contacted me to ask precisely where all the admin areas are, which parts of the site are password-protected, and then to supply them with a list of usernames and passwords so that they can access those areas and "test their security".
Perhaps I've missed something, but isn't that completely fucking retarded and ass-backwards?
( , Fri 14 Oct 2011, 17:03, 12 replies)
Sounds like the sort of job I could do... Did they find any security holes? You sure that this wasn't a whajimacallit - attack - psychological - ermmm there's a word for this type of scam.
( , Fri 14 Oct 2011, 17:11, closed)
After I made a lot of noise about how there was no chance in hell I was sending a third party a list of all our sensitive passwords
I got an email from the IT director basically ordering me to send them anyway. I have a copy of that email printed and pinned next to my monitor as arse-covering material, should all this turn around and blow up in my face.
( , Fri 14 Oct 2011, 17:13, closed)
I got an email from the IT director basically ordering me to send them anyway. I have a copy of that email printed and pinned next to my monitor as arse-covering material, should all this turn around and blow up in my face.
( , Fri 14 Oct 2011, 17:13, closed)
I believe it's referred to as 'social engineering'. I've a mate in the pen testing game - and while he's done many, many rather interesting things, I'm not sure he's ever been so brazen as to simply ask the web admin for the passwords...
( , Fri 14 Oct 2011, 17:19, closed)
"The art of deception"
by Kevin Mitnick (I think) is a pretty good read. It's all about social engineering, and how he was portrayed as a technical hacker (and subsiquently locked up for 8 years with no trial), when in reality all he did was trick people into giving him passwords.
( , Fri 14 Oct 2011, 21:53, closed)
by Kevin Mitnick (I think) is a pretty good read. It's all about social engineering, and how he was portrayed as a technical hacker (and subsiquently locked up for 8 years with no trial), when in reality all he did was trick people into giving him passwords.
( , Fri 14 Oct 2011, 21:53, closed)
That's what I was thinking.
Their report ought to read 'Major Security Failing: The IT Director who gave us all your passwords'
( , Fri 14 Oct 2011, 17:26, closed)
Their report ought to read 'Major Security Failing: The IT Director who gave us all your passwords'
( , Fri 14 Oct 2011, 17:26, closed)
This occurred to me too.
I used to work for a law firm in the department responsible for organising training courses on data protection and privacy. One attendee company asked me to disclose the names of all the companies attending the course; I said "no".
( , Fri 14 Oct 2011, 17:39, closed)
I used to work for a law firm in the department responsible for organising training courses on data protection and privacy. One attendee company asked me to disclose the names of all the companies attending the course; I said "no".
( , Fri 14 Oct 2011, 17:39, closed)
A truly comprehensive test of security would require penetration testing, yes, but would also test to see whether each user role (e.g. administrator) could only do the things they're supposed to do, instead of (for example) hoovering up every visitor's credit card numbers, genetic fingerprint and preferred sexual position.
( , Fri 14 Oct 2011, 21:35, closed)
Then they should use each person's logon with them sitting there.
Rule number one is you never give out a privileged password. I used to work as an admin and the only way I'd knowingly allow someone to test my access would be to check it whilst I watched.
I suppose another way to do it is to change the passwords of the affected accounts to ones known by the auditors for a brief window for testing and change them back afterwards. This, however, would require an air-tight contract to protect both the company concerned and the auditors.
( , Sat 15 Oct 2011, 0:12, closed)
Rule number one is you never give out a privileged password. I used to work as an admin and the only way I'd knowingly allow someone to test my access would be to check it whilst I watched.
I suppose another way to do it is to change the passwords of the affected accounts to ones known by the auditors for a brief window for testing and change them back afterwards. This, however, would require an air-tight contract to protect both the company concerned and the auditors.
( , Sat 15 Oct 2011, 0:12, closed)
You're right about both.
Temporary passwords and sitting over the shoulder.
Truth be told, that type of testing should first take place in a sandboxed environment with test (not production) data.
( , Sat 15 Oct 2011, 0:23, closed)
Temporary passwords and sitting over the shoulder.
Truth be told, that type of testing should first take place in a sandboxed environment with test (not production) data.
( , Sat 15 Oct 2011, 0:23, closed)
« Go Back