lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <E013572CB0803159F86040CC@utd65257.utdallas.edu>
Date: Fri, 23 May 2008 11:16:45 -0500
From: Paul Schmehl <pschmehl_lists@...rr.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Need some help with management

--On Friday, May 23, 2008 11:56:15 -0400 Elazar Broad <elazar@...hmail.com> 
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Its not even funny how often this happens. I have a friend who does
> some consulting work for small businesses, and the amount of times
> that he has come across medical practices that run their billing
> and record keeping software on the same "fully-loaded" XP box that
> their receptionist(s) use to download random crap...
>

Typical scenario - professor runs Windows XP with Skpe and Google Toolbar and a 
host of other "helpful" desktop applications - oh, but that's his "server" too 
- running IIS and mysql - default installs, mind you - replete with cross-site 
scripting and sql injection problems - and all his research with no backups - 
and then gets irate because his computer gets blocked at the switch port for 
policy violations.

I could go on, but you get the idea.

Why do they do it?  Because they can - at least until we catch them.

How many mysql installs do you think there are worldwide, listening on the 
default port, with "root@...alhost", "root@...N", "@localhost" and "@FQHN" all 
in the default state with no password?

-- 
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ