Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Hybrid View

  1. #1
    Junior Member
    Join Date
    Dec 2009

    Access to system

    I have access to a system. I know the VPN password and I am in. I have local admin rights on one of the servers. I am not malicious and do not want to do anything. I just want to let the proper people, in this case the media know what is going on in this government agencies. What kinda of damage can a hacker if he got into such a system. I need this information to present it to the media. If any one can help it would be appreciated. Just an update. I was the Network Admin. The VPN password was not changed. I used a users credentials and got in to the terminal server and logged in with locally with my old admin password, how incompetent is that. So technically i have not broken in, I just walked right in. I am trying to protect the clients by exposing these incompetent people.

    Last edited by monty400; December 21st, 2009 at 04:15 PM.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Redondo Beach, CA
    A few thoughts:

    1. You have broken the law by accessing that system.

    2. You should be notifying that agency that they have a violation, not the media. See point 1.

    3. Depending on the agency, with local system access rights you could do a lot or nothing. The local system could be a honeypot with false info in it. Or it could be a very important system that has info that if made public could cause lots of lives to be lost (then point 1 could be changed to treason if you made that info public).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Junior Member
    Join Date
    Dec 2009

    Thank Msmittens

    I was the Network Admin there. I created that VPN password and it is still used. also this is a terminal box with local admin right with my old password. So it is real. A hacker can install software to capture a host of information. I am not doing this to harm anyone. I just want to point out the managerial idiots that work there.

  4. #4
    Join Date
    Nov 2002
    Good question: would you "record" your call to the FBI to report and save the recording in case they are looking for a scapegoat? Or would you report it to a whistle-blowing site like wikileaks.com that is a community of everybody including law enforcement? Your access to the system will get lost in a sea of curiosity.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    Please forget about it.............the media neither care nor understand......in that respect they represent the public perfectly

    MsM is correct, you should inform the agency concerned. If I might be allowed to play "devil's advocate" I would look at your statement:

    I was the Network Admin there. I created that VPN password and it is still used.
    You were in a position of trust? as a juror I know nothing about computers, but I do understand trust and responsibility?????????????

    Obviously; you found this out because you "had an old shortcut on your desktop, and clicked on it by mistake?"..............

    They could live with that one because it implies that you are almost as incompetent as themselves I think that gets round a part of MsM's #1?

    Another thing you need to ask is whether you left them on "good terms" or not? If you were fired or made redundant your actions would be construed as "sour grapes"; and if you left on good terms it would be considered downright disloyalty. I am afraid it is a sort of "catch 22" situation?

    I have been in a similar situation but was not aware of it until I was asked to go back to the site and help them fix a problem.............they told me my ID and pass were still valid "because we knew we would have to call on you sooner or later, John"

    Yeah, well.............................


    Couple of afterthoughts:

    1. Did you have a signed off site security policy on what to do when a member of staff left?

    2. Was having a common VPN password a good idea? Let's face it, nobody has any regard or respect for common passwords.

    I would take the view that these issues were well within the remit of the Systems Administrator rather than the management?
    Last edited by nihil; December 21st, 2009 at 06:26 PM.

  6. #6
    Junior Member
    Join Date
    Dec 2009

    Access to system

    Thanks for your input nihil. No there was not any signing off any security policy.
    Yes I was Network Admin. But as for one a Network Admin is responsible for the the security of a Network and management is also responsible to make such action is followed. When a user leaves all access from the network should be terminated. In the case of a systems guy leaving, access to the system should be completely closed; yes all password should be changed. Say I was a malicious person all I have to do is go to hacker bulletin boards and upload information. I am concern for the clients because it seems this agency is incompetent in providing adequate security for their systems thus potentially harming client information.
    Last edited by monty400; December 22nd, 2009 at 01:39 PM.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Hi Monty,

    The lack of a documented security policy is certainly a major shortcoming, however, I doubt if the management even realise the need for such a thing. In my experience they tend to rely on their IT professionals to take the lead in that area.

    I agree that when an employee leaves then their user account should be closed, and if you are going to fire someone you should do that before telling them, and escort them off the premises. I have known cases where ex-employees have wreaked havoc before their account was closed.

    I guess it is not unusual for common passwords not to be changed when someone leaves, but this is for applications that can only be accessed if you have a valid account and access to a local network machine. Stuff like pricelists, inventory specifications and the like. Because these accounts don't have data entry or modification rights this approach is usually considered satisfactory.

    Your guys certainly don't understand VPN, but would you expect non-IT people to do so?

    I guess the real issue is that even if you can get to the server, what can you do from there? Would it expose any sensitive information?

  8. #8
    Junior Member
    Join Date
    Dec 2009

    Thanks Nihil

    There is no information on that server its a terminal server but has access to the main database that is web based; software could be loaded, such as hacking software to capture passwords and so on. I just cannot comprehend why these guys would leave such a security hole. If I were malicious and gave this information to a hacker and they were good it would be lights out then client information would be at risk. You are right that I should inform them of it but I would love to report this.

  9. #9
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    While you are connected and logged on to the server, change your password quickly to something difficult to remember. You only have to type it in twice and never think of it again.

    Problem solved.

    If you do not agree, then obviously your concern is not protecting to client, or 'doing the right thing' as you want to make a big deal out of the issue, most likely for personal gain.

    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  10. #10
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    SW MO
    I would either alert them to their problem, or simply forget about it.

    I work as a network/systems admin, and there are a ton of passwords that would have to be changed if I left. There is also a good deal of trust. If I were to part with my current employer, I would probably just sever all ties, and hope for a good recommendation.

    It is not worth it to me. That would make for a big gap on my resume, because of an employer that I could not list. And as MSM pointed out, there is a possibility of charges being brought. Industrial sabotage comes to mind. [I think that is what it is called here in the states...] Not to mention wire-fraud, etc.

    I have been ticked at employers too, but sometimes you just have to suck it up.

    I guess that is what it really boils down to. Are you just angry with your former employer, or do you care about the integrity of their systems? If the former is true, walk away. If the latter is true, send them a letter/email describing the problem, and your suggestion as to how to fix it.

    Hope I didn't come off as sounding offensive. It was not my desire.

    Welcome to AO.


    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"


Similar Threads

  1. can't rid my computer of Spoton
    By rpgraff in forum Spyware / Adware
    Replies: 16
    Last Post: August 24th, 2004, 08:01 AM
  2. OpenVMS Fundamentals Chapter 1
    By agent.idle in forum Other Tutorials Forum
    Replies: 0
    Last Post: March 12th, 2004, 05:39 PM
  3. Denial of Service
    By M@rin3 Snip3r in forum AntiOnline's General Chit Chat
    Replies: 6
    Last Post: September 24th, 2003, 03:59 AM
  4. CMOS commands
    By qwerty_smith in forum Other Tutorials Forum
    Replies: 7
    Last Post: September 23rd, 2002, 06:29 PM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 08:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.