December 21st, 2009, 02:43 PM
Access to system
I have access to a system. I know the VPN password and I am in. I have local admin rights on one of the servers. I am not malicious and do not want to do anything. I just want to let the proper people, in this case the media know what is going on in this government agencies. What kinda of damage can a hacker if he got into such a system. I need this information to present it to the media. If any one can help it would be appreciated. Just an update. I was the Network Admin. The VPN password was not changed. I used a users credentials and got in to the terminal server and logged in with locally with my old admin password, how incompetent is that. So technically i have not broken in, I just walked right in. I am trying to protect the clients by exposing these incompetent people.
Last edited by monty400; December 21st, 2009 at 04:15 PM.
December 21st, 2009, 03:50 PM
A few thoughts:
1. You have broken the law by accessing that system.
2. You should be notifying that agency that they have a violation, not the media. See point 1.
3. Depending on the agency, with local system access rights you could do a lot or nothing. The local system could be a honeypot with false info in it. Or it could be a very important system that has info that if made public could cause lots of lives to be lost (then point 1 could be changed to treason if you made that info public).
December 21st, 2009, 04:01 PM
I was the Network Admin there. I created that VPN password and it is still used. also this is a terminal box with local admin right with my old password. So it is real. A hacker can install software to capture a host of information. I am not doing this to harm anyone. I just want to point out the managerial idiots that work there.
December 21st, 2009, 05:07 PM
Good question: would you "record" your call to the FBI to report and save the recording in case they are looking for a scapegoat? Or would you report it to a whistle-blowing site like wikileaks.com that is a community of everybody including law enforcement? Your access to the system will get lost in a sea of curiosity.
December 21st, 2009, 05:39 PM
Last edited by nihil; December 21st, 2009 at 06:26 PM.
December 22nd, 2009, 01:36 PM
Access to system
Thanks for your input nihil. No there was not any signing off any security policy.
Yes I was Network Admin. But as for one a Network Admin is responsible for the the security of a Network and management is also responsible to make such action is followed. When a user leaves all access from the network should be terminated. In the case of a systems guy leaving, access to the system should be completely closed; yes all password should be changed. Say I was a malicious person all I have to do is go to hacker bulletin boards and upload information. I am concern for the clients because it seems this agency is incompetent in providing adequate security for their systems thus potentially harming client information.
Last edited by monty400; December 22nd, 2009 at 01:39 PM.
December 22nd, 2009, 08:24 PM
The lack of a documented security policy is certainly a major shortcoming, however, I doubt if the management even realise the need for such a thing. In my experience they tend to rely on their IT professionals to take the lead in that area.
I agree that when an employee leaves then their user account should be closed, and if you are going to fire someone you should do that before telling them, and escort them off the premises. I have known cases where ex-employees have wreaked havoc before their account was closed.
I guess it is not unusual for common passwords not to be changed when someone leaves, but this is for applications that can only be accessed if you have a valid account and access to a local network machine. Stuff like pricelists, inventory specifications and the like. Because these accounts don't have data entry or modification rights this approach is usually considered satisfactory.
Your guys certainly don't understand VPN, but would you expect non-IT people to do so?
I guess the real issue is that even if you can get to the server, what can you do from there? Would it expose any sensitive information?
December 22nd, 2009, 08:44 PM
There is no information on that server its a terminal server but has access to the main database that is web based; software could be loaded, such as hacking software to capture passwords and so on. I just cannot comprehend why these guys would leave such a security hole. If I were malicious and gave this information to a hacker and they were good it would be lights out then client information would be at risk. You are right that I should inform them of it but I would love to report this.
December 23rd, 2009, 05:20 AM
While you are connected and logged on to the server, change your password quickly to something difficult to remember. You only have to type it in twice and never think of it again.
If you do not agree, then obviously your concern is not protecting to client, or 'doing the right thing' as you want to make a big deal out of the issue, most likely for personal gain.
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
December 23rd, 2009, 06:02 AM
I would either alert them to their problem, or simply forget about it.
I work as a network/systems admin, and there are a ton of passwords that would have to be changed if I left. There is also a good deal of trust. If I were to part with my current employer, I would probably just sever all ties, and hope for a good recommendation.
It is not worth it to me. That would make for a big gap on my resume, because of an employer that I could not list. And as MSM pointed out, there is a possibility of charges being brought. Industrial sabotage comes to mind. [I think that is what it is called here in the states...] Not to mention wire-fraud, etc.
I have been ticked at employers too, but sometimes you just have to suck it up.
I guess that is what it really boils down to. Are you just angry with your former employer, or do you care about the integrity of their systems? If the former is true, walk away. If the latter is true, send them a letter/email describing the problem, and your suggestion as to how to fix it.
Hope I didn't come off as sounding offensive. It was not my desire.
Welcome to AO.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
By rpgraff in forum Spyware / Adware
Last Post: August 24th, 2004, 08:01 AM
By agent.idle in forum Other Tutorials Forum
Last Post: March 12th, 2004, 05:39 PM
By M@rin3 Snip3r in forum AntiOnline's General Chit Chat
Last Post: September 24th, 2003, 03:59 AM
By qwerty_smith in forum Other Tutorials Forum
Last Post: September 23rd, 2002, 06:29 PM
By Noble Hamlet in forum AntiOnline's General Chit Chat
Last Post: March 17th, 2002, 08:38 AM