Laughably terrible security practices

Share any hilarious IRC quotes, pictures, jokes, and more here!
Forum rules
- NO nudity/pornography. NO racism. NO offensive material.
- Posting these may result in warnings and/or possible ban!
- Please abide by the rules: viewtopic.php?f=126&t=4355

Laughably terrible security practices

Post by 0phidian on Wed Oct 24, 2012 2:33 pm
([msg=70372]see Laughably terrible security practices[/msg])

Got any stories of people who's security practices were so bad it was entertaining?

At one of my old jobs, immediately after being hired the sys admin(aka some random HR person of questionable intelligence) made me an account for their computer systems. They informed me that everyones username was the first letter of their first name them their lastname, for example: "dsmith". And then they told me that my password was "pass123", the same as everyone else including the store manager becuase she felt it was easier for everyone to remember that way. So I thought any time I wanted to I could just login as a manager and give myself a raise or as the sys admin and do anything I want?
I found this so amusing that I literally laughed out loud. I never brought these concerns to anyones attension though, because I didn't particularly care for the company. :twisted:

It was actually a large company not just some little small bussiness.
User avatar
0phidian
Poster
Poster
 
Posts: 258
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by hellow533 on Wed Oct 24, 2012 2:57 pm
([msg=70373]see Re: Laughably terrible security practices[/msg])

I went to a clients business for a computer error and found out all files, information, SSID, and everything on every employee and patient was available at my finger tips and available to all employees. Home address, even some had banking information. That's only part 1. Next, I found out all information transferred between them with personal information was over email. Imagine a doctors office sending you all your information unencrypted over email. No thanks Jeff.

Part 3, their router username/pass (for such a high profile business) was admin/admin. I'm not complaining though, I was paid over $900 for all of this to be fixed, changing how they operate, etc.

Oh, and just about every computer there had some form of virus, some of them having keyloggers because the employees go on websites and games at work. So sending patient information over unencrypted email with keyloggers.






Seems legit. I wonder how other doctors offices are when things like this are going on.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 506
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by kujinR on Tue Oct 30, 2012 7:19 am
([msg=70498]see Re: Laughably terrible security practices[/msg])

My old high school asked me to make some changes to their website when I came across this little gem:

Code: Select all
$sqlQuery = "SELECT * FROM students WHERE stud_id LIKE '%$search%' or firstname LIKE '%$search%' or lastname LIKE '%$search%'";

It made this xkcd much, much funnier.

I'm just astonished of what people can get away with around here. /sigh
"Better to keep your mouth shut and be thought a fool than to open it and remove all doubt."
"red = changed"
User avatar
kujinR
Poster
Poster
 
Posts: 270
Joined: Thu Jul 29, 2010 4:39 am
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by not_essence2 on Sun Nov 04, 2012 6:11 pm
([msg=70552]see Re: Laughably terrible security practices[/msg])

Last year at school, I was in the library guessing people's passwords at logon. This one guy had the password "123456". It was really hilarious.

Also, at my desktop, there was this Q: drive that not even the admin had access to. Funny, however, when I was saving a Word 2007 document, the Q: drive popped up as "Q: (App Virt)" and I could go in and have access to all of it.
not_essence2
Poster
Poster
 
Posts: 189
Joined: Fri Sep 14, 2012 6:09 pm
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by xsvMix on Thu Nov 08, 2012 6:23 am
([msg=70640]see Re: Laughably terrible security practices[/msg])

At my university it is possible to get onto any drive of a logged on PC, including C: and flash drives. I also found the PHP config data of their website. There is no antivirus on any PC. The student website login is unencrypted and I managed to sniff my own password as proof.

I ran a keylogger on one PC as proof and accidentally forgot about it for about a week. A friend later reminded me so I rushed to take it off. It included gmail, facebook, and student accounts. Scary to think what a black hat would do with that information. IRC is unblocked and I ran clients on about 10 PC's to show the possibility of a bot net.

Also near the end of a semester we wrote an online exam. The result from almost 200 students trying to log on at once is their server crashed.
User avatar
xsvMix
New User
New User
 
Posts: 30
Joined: Tue Sep 18, 2012 4:01 pm
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by Shade_of_Gray on Thu Nov 08, 2012 9:34 am
([msg=70644]see Re: Laughably terrible security practices[/msg])

At one college I attended, the doors to several of the labs had a lock/unlock toggle pushbutton on the edge of the door with the latch. When you open the door with the key, you push the button to unlock it for everyone, and you push the other one to lock it.

Some doors had a security plate over the mechanism. Many doors didn't.

I opened these labs regularly with a car key by sliding it between the door and the jamb and levering it to push the button while the door was closed.

I pointed this out once to my professor, but as far as I know nothing ever came of it.
Shade_of_Gray
Experienced User
Experienced User
 
Posts: 60
Joined: Mon Oct 22, 2012 11:04 pm
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by weekend hacker on Thu Nov 08, 2012 10:42 am
([msg=70647]see Re: Laughably terrible security practices[/msg])

At my previous job, login:password to all computers ware the company name.(to be fair it was a domain login, so not full admin, although nothing was actually disabled and it was win XP )
My login for their database software(do we even call a MS access thing software?) ware my initials and so was the password. It gave me access but some things ware disabled. But it also gave me full database access.. "please don't change things directly in the database! except when the software fails and you need to fix things" which was about 5 times a day.
We had access to a network drive where we had to store random things. There was also a network drive where the execs put all their files, like financial data emails etc etc. It was simply not mounted by default but there was nothing preventing you from doing so.
The private site to submit vacation time was riddled with SQLi holes. Literally every thing you could exploit was exploitable and this was accessible from the web.
The IT guy would need to get permission from the boss to work on it to fix it and that guy was a cheap bastard who refused to pay for anything, so obviously nothing got fixed apart from net send being disabled by default.

EDIT: nov 22 2012
Said company just went bankrupt.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
User avatar
weekend hacker
Administrator
Administrator
 
Posts: 192
Joined: Sun Apr 13, 2008 2:39 pm
Location: 127.0.0.1
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by mookalovesgloop on Thu Nov 08, 2012 11:56 pm
([msg=70668]see Re: Laughably terrible security practices[/msg])

peace...

well even though i don't know MUCH i did find, to my delight, that the powers that be @ this one job i had as a collections rep didn't have the common sense to disable the developer tools for their client interface system....this had to be the most horrible job i've ever had the displeasure to work...when i lined up a new job and was in my last week as a collector, i did SOOOOOOOOOOOOOOOOOOOOOOOOO much document.write :twisted: :twisted: and the hilarious part was that no one ever figured out why i kept receiving strange, never before seen error messages/codes--my personal favorite "fatal exception: 666 SATAN LIVES"

and i'd just sit innocently and quietly while they poked and prodded and finally would just tell me to reboot my system (which took about 15 minutes to do due to their shitty computer systems)

hotep
mooka
Image
gloop!
User avatar
mookalovesgloop
Poster
Poster
 
Posts: 167
Joined: Wed Apr 18, 2012 7:48 pm
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by not_essence2 on Sat Nov 10, 2012 6:10 pm
([msg=70704]see Re: Laughably terrible security practices[/msg])

My friend and I were at school, both working on a project with laptops, next to each other. He went to ask the teacher about the project, and he hadn't logged on yet, so I decided to take a crack at it. First guess was his first name, and guess what, it logged on. Being the friend that I was, though, I told him and he changed the password the same day.
Funny thing however, apparently no one guessed the password correctly for 3 years until I came along...
not_essence2
Poster
Poster
 
Posts: 189
Joined: Fri Sep 14, 2012 6:09 pm
Blog: View Blog (0)


Re: Laughably terrible security practices

Post by mookalovesgloop on Wed Nov 21, 2012 5:30 pm
([msg=71184]see Re: Laughably terrible security practices[/msg])

this one isn't even funny...the place where i just started working has all of its system passwords EVEN the manager/administrator's set as. . . . . . . . . .wait for it. . . . . . . .wait for it. . . . . . . . . . .
PASSWORD!! :o :shock: :o :roll: all small letters, no variations i tried to respectfully and humbly suggest to my boss that this wasn't the best idea, but he assured me that *no one* would ever try to break into the systems...and besides, the main server is somewhere in florida :roll: :roll: :roll:

utterly perplexing
peace
mooka
Image
gloop!
User avatar
mookalovesgloop
Poster
Poster
 
Posts: 167
Joined: Wed Apr 18, 2012 7:48 pm
Blog: View Blog (0)


Next

Return to LULZ

Who is online

Users browsing this forum: No registered users and 0 guests