Wow!!!, this is what i call a big mistake!!!

Guys,

What a big mistake!!!

Quote:

---

Hack-proofing a website is hard enough. But the task becomes gargantuan when you accidentally publish the administrator's password on one of your site's most heavily trafficked pages.

Such a security gaffe may have enabled unauthorized visitors to log in and gain access to files undetected for more than six months on a server operated by Carmichael Lynch, a public relations and advertising firm with several big-name clients. The admin password was inadvertently published on a page that contained online job postings.

---

Full story here

Will you fire the employee that did this??? hehe!!!

Bye.

oops! it just goes to show that one of the many things ive learned through this site and others as well as the books ive been reading that the weakest link in a network are the people that run it.

Umm.. Well If I were running the web publishing company, which hopefully in the next 3 to 4 months I will be, I personally plan to go over all of the pages before our clients get their hands on it. Its the design managers fault for not checking over the work of his/her employees. So in short, no I wouldn't.

<off_topic>
Speaking of stupidity (sorry Dad.. :rolleyes: )....My Dad rang me @ 4:56 am the other day. I thought it was some kind of emergencey....instead he asks "What's the address for kazaa?"....... :D
</off_topic>

lol, how in the world to you "accidentally" post the password to the admin account on a website like that? I think this one deserves a little more looking in to from the Lynch folks.

[edit]

Ah I just read the article and I see that they were using FrontPage to create their html... lol seems FrontPage put in "unwanted code" to their pages which caused this problem. Yet another reason to use notepad instead ;)

[/edit]




El Diablo

I think that it is important (especially to the n00bs) to identify what other information can actually be obtained from such a mistake.

1. The biggest, and most obvious, a username and password was posted on a publically available web page.
2. You know the username format. So one can safely assume that all other login IDs for that server, if not the company are in the same format.
3. The password, IMO wouldnt be considered strong, so one can also assume that that server does not have any password strength testing or auditing tools.

But I have always said that it is alright to make mistakes, as long as you learn from the ones that you do make!

Hopefully now people reading this now realise that an error such as this is not as cut-and-dry as disclosing a userid and password. You also disclosing a lot of other information that a hacker may find useful for their cause.

Wow that's a big oops. Lucky them that not many people knew about it. I wouldn't fire the guy, just give him a good yelling at :P.

Oh and by the way...what would a hacker find good use for in a list of people and thier cars?

What the hell... How do you ACCIDENTALLY post the password? That's not even stupidity, he's way beyond that. This just goes to show that it doesn't always take knowledge for a hacker to break into something, the stupidity (or whatever this case may be) of the user can be the key to it.

That guy would get fired from my company if I checked the logs and found that confidential information had been leaked. Otherwise, he'd get a major yelling and maybe a pay cut.
Cheers,
cgkanchi

Seems to me that this would bear close scrutiny before any action is taken. If the employee has a good record and the "mistake" was made at the end of a 12 or 15 hour day or just under the wire of an intensly important deadline, then it COULD be viewed as an honest (albeit stupid) mistake. In that case, a reprimand and a "probationary" period would suffice. If it was due to incompetence, a demotion and possible suspension w/o pay would probably address the issue. However, if the employee has had previous "indiscretions", ie insubordination, resistance to working in a team enviroment, problems with upper management, etc., then the possibility that a malicious act was committed does exist and would justify termination. Just my .02 worth.