Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need some help with management

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Fri, 23 May 2008 11:16:45 -0500
--On Friday, May 23, 2008 11:56:15 -0400 Elazar Broad <elazar () hushmail com> 
wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Its not even funny how often this happens. I have a friend who does
some consulting work for small businesses, and the amount of times
that he has come across medical practices that run their billing
and record keeping software on the same "fully-loaded" XP box that
their receptionist(s) use to download random crap...



Typical scenario - professor runs Windows XP with Skpe and Google Toolbar and a 
host of other "helpful" desktop applications - oh, but that's his "server" too 
- running IIS and mysql - default installs, mind you - replete with cross-site 
scripting and sql injection problems - and all his research with no backups - 
and then gets irate because his computer gets blocked at the switch port for 
policy violations.

I could go on, but you get the idea.

Why do they do it?  Because they can - at least until we catch them.

How many mysql installs do you think there are worldwide, listening on the 
default port, with "root@localhost", "root@FQHN", "@localhost" and "@FQHN" all 
in the default state with no password?

-- 
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: