I've actually done this three times now... I now get a "thanks". That's nice.
Printable View
I've actually done this three times now... I now get a "thanks". That's nice.
I tried paying a bill with a thanks once..... Take it from me, the IRS doesn't like it..... :eek:
Maybe you should point out to your "powers that be" that one of two situations is occurring here:-
1. Your system is so full of simple holes because their current IT staff wouldn't know security if it walked up and spanked them with a wet fish and that the risk to their bottom line is therefore significant and it would probably be in their best interest to hire someone like you, who seems to have a talent for "digging" through it and finding the holes, to mitigate those issues before they become a significant loss.
2. You are so extremely talented at finding holes in people's systems that you feel an unstoppable desire to have that talent properly appreciated in a fiscal fashion by hawking said talent to other organizations.
Either way you come across as an item of value, the only remaining question is what value do they place on their bottom line and what are they prepared to spend to prevent an unacceptable loss.
Methinks you are in a win-win situation.... You seem to know their systems, now learn negotiation........ ;)
Wait, you said they fixed it(temporarily?), but you did it 3 times, and they thanked you each time? And then you were snooping around in payroll to find out you are the lowest paid? Did you also tell them this information? Do you turn off your server every night? I must be slow or something. I just don't get it.
I am lead to believe it't both. Putting their complete trust in the Company's system, then forgetting something as simple as a drop shell, makes me wonder what kind of IT peeps they got down there. This first "exploit" (if you choose to call it that) was less talent, and more someones else's lack of observation and testing.Quote:
Originally posted here by Tiger Shark
I tried paying a bill with a thanks once..... Take it from me, the IRS doesn't like it..... :eek:
Maybe you should point out to your "powers that be" that one of two situations is occurring here:-
1. Your system is so full of simple holes because their current IT staff wouldn't know security if it walked up and spanked them with a wet fish and that the risk to their bottom line is therefore significant and it would probably be in their best interest to hire someone like you, who seems to have a talent for "digging" through it and finding the holes, to mitigate those issues before they become a significant loss.
2. You are so extremely talented at finding holes in people's systems that you feel an unstoppable desire to have that talent properly appreciated in a fiscal fashion by hawking said talent to other organizations.
Either way you come across as an item of value, the only remaining question is what value do they place on their bottom line and what are they prepared to spend to prevent an unacceptable loss.
Methinks you are in a win-win situation.... You seem to know their systems, now learn negotiation........ ;)
I'm not really into the whole "milk 'em for what they're worth" thing. I DO enjoy spelunking into unknown systems, but I prefer to inform the sysadmin soon after. If someone as young as me can find this, who knows who else might?
In response to devpon:
I didn't say I compromised the SAME system three times. There are two others which I have yet to speak of. I did inform them about the payroll thing: in fact, they would not take me seriously until I mentioned it and showed them as an example.
The server is in fact shut down every night. I was doing this from computers in the back office and the sales floor. This portion of the network is intranet only (as in, no apparent outside access).
When I said "temporarily", I meant that I'm not so sure they locked it down. The only thing they did was edit the preferences files nation wide to disable the "!" from inside Lynx. We use other Unix based programs from within the Company system as well...just a matter of time before something turns up.
Shall I post Part 2? And if so, should I do it in this thread or start another?
Nice find. :) I liked your post. I like reading about stuff like this.
I would like to read your second part too.
I too have found several security vulnerabilities (at least 3 so far this year)... but I can't disclose them (even though they've been fixed) because there are people who know where I work... Though my finds are mostly related to software that we've used (NOTE USED) or misconfigured web/ftp servers of vendors... not so much with our network... but with software or services that we've used. I've even found a way to get ANY user id AND password to a MAJOR banking vendor... talk about a big "OOPS!"...
I am all too familiar with the "thanks". Sometimes not even that!
Most of my finds start with... "Hmm... I wonder what happens if I do..."
and just what position do you hold with this company. that could have allot to do with their response.
Good point. And I've thought of that. I am basically the (almost) bottom rung employee. That on top of the fact that I am a high school/college student puts me in bad standings automatically.
PART 2:
The portion of the network owned by the Company mentioned in part two has multiple tiers to it. While the previous area handled much of the inventory, register audit, and payroll information, there is another section of the system which is geared toward the employee as an information gathering tool.
Windows 2000 computers are scattered across the Company network. Certain ones are locked behind wooden doors and fixed up with touch screens to be used as information kiosks (more on that in Part 3). Others are stashed in the back office for employee use.
These employee computers are enabled with extremely stripped down privileges (and for good reason, I suppose). I mean, these things let you do next to nothing. You can't right click, no programs ('cept IE) are readily accessible (more in a sec), and forget about trying to log in as a different user. They are configured with an auto-login, which logs you in as this puny user without so much as a pause at the login screen. The only thing you are able to do is browse the intranet website, which is used to inform employees about new jobs, company policy, stock worth, and weather. Convenient. Overpriced.
Anyhoo, after browsing my heart out after school (and before work) I decided, once again, to do some snooping. Not hacking....or cracking....just snooping. Think of it as another security audit. Just unofficial.
During my browsing I happened to find a link that lead to a .doc file. While normally insignificant, this was a huge deal, since it meant that I could use Wordpad (yay!). After glancing at the file for "clothing order information", I moved Mr. Mouse up to File -> Open.
And I was rather disappointed. They had disabled My Computer, making any drives unreachable. I clicked on the "Network Places" button.
And was surprised.
For one reason or another, the Company had decided that hosting the intranet site via standard HTTP was not good enough. They decided to make the site accessible as a shared folder. SHARED FOLDER. Wow.
So I wandered in, wondering what was in there (I didn't know it was the server at the time), and found myself in a directory with a familiar name. I quickly opened an html file, and added an "invisible" link (nbsp, no underline) to C:\. Now anyone who clicked that would be magically transported to their own C: drive, which included mine. I saved and returned to the browser (ya...I had write permissions...stupidstupidstupid). After navigating to the page with the secret link and clicking it, I was in the root of my drive.
This is where the fun really began. (Did I say fun? I meant work.)
From here, I navigated to the Program Files area. One thing I noticed was that VNC was installed on the computer. Up until that point I had not paid it much mind, but seeing the folder made me realize something. This program was installed on all the computers.
I made my way back to the root, then to WNNT, then to system32, and to a command prompt (Run menu in Start was disabled). I typed 'regedit' in an attempt to open the Registry Editor. No such luck. The window popped open, that shut before I could respond.
I guess getting the ascii-hex encrypted password wasn't going to be that easy.
Then I thought of something else. If I was on one of these employee machines, which are located all over the Company, wouldn't they need to share some or connection for remote installs and information retrieval?
I quick Z: proved affirmative. On this drive was a plethora of files. One of which was 'touch', which proved handy later. (touch allows you to change the timestamp on a file.)
After typing 'tree', I found that one of the subdirectories was .... VNC! They used one set of files to effectively 'clone' all the PCs. This included the registry entries. Inside the dir was a file conspicuously called vnc.reg. I opened it, and....lo' and behold, one of the entries was the ascii-hex encoded password.
I copied it down to paper, and after decoding it that night, returned the next day to see what I had.
I used my little backdoor to get back to the prompt. I typed 'net view', and it gave me a list of all the computers I was connected to. I fired up the VNC viewer, typed in a name and password. The servers were apparently running in stealth mode, since the screen which was displayed had no VNC logo in the corner.
I found I had access to (nearly) all the computers network-wide. This included programmer's comps, admin comps, shipping comps, and ad design comps. I almost read some one's email...but then thought better of it.
I didn't take time to look at everyone's computer. After all, I'm sure I was making a huge log trail, if anyone thought to look, and the more unexplained connections I made, the more trouble, and less thankful (when I told them).
And yes. Once again, they were informed. But only after Part 3. Sort of.
PART 3 next, depending on response.
Don't most people stereotype hackers as teenagers though? Seriously, if I ran IT for a company and some kid walked up to me and said there was some serious vulnrebilaties, I would take him 100% serious if he told me where the hole was...
One would think so. But then again, I don't think these guys have to be too qualified for what they are doing. They just get a bit full of themselves (pot calling the kettle black, I suppose) and refuse to listen on the premise that they are the "all powerful programmers/admins/bringers of death". I bet if I told these things to someone outside the IT dept. and my work...say...el presidente....I would have gotten more than a thanks.