Author Topic: Got to love the AU government's stance on security  (Read 2549 times)

0 Members and 1 Guest are viewing this topic.

Offline gnif

  • Administrator
  • *****
  • Posts: 1127
  • Country: au
Got to love the AU government's stance on security
« on: October 24, 2014, 11:08:35 am »
Ok, I find this extremely funny...

Have a quick read over this...
http://www.oaic.gov.au/news-and-events/news/privacy-news/recent-online-security-incidents

And then go here...
https://www.oaic.gov.au/

 :palm:
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

Note: I am NOT a moderator or arbiter of disputes, my Admin level of access is so that I can perform management of the server on behalf of Dave. Do not contact me over such issues
 

Offline sunnyhighway

  • Frequent Contributor
  • **
  • Posts: 276
  • Country: nl
Re: Got to love the AU government's stance on security
« Reply #1 on: October 24, 2014, 12:06:25 pm »
Whooa, this is wrong in so many ways I don't even know where to start.  |O

But at least AllowNoPassword is set to false

I guess doing one thing right can make up for a dozen or so wrongs.
 

Offline HackedFridgeMagnet

  • Super Contributor
  • ***
  • Posts: 1956
  • Country: au
Re: Got to love the AU government's stance on security
« Reply #2 on: October 24, 2014, 12:32:47 pm »
well the protocol is right.

What is it a honey trap? or they cant configure a webserver.
 

Offline jeremy

  • Frequent Contributor
  • **
  • Posts: 935
  • Country: au
Re: Got to love the AU government's stance on security
« Reply #3 on: October 24, 2014, 12:36:41 pm »
Wrong certificate used. Looks like a self-signed one that they used for phpMyAdmin access (hey everyone! they are using PHP and MySQL!) and it got dropped onto the root configuration.
 

Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5549
  • Country: us
Re: Got to love the AU government's stance on security
« Reply #4 on: October 25, 2014, 12:36:26 am »
Cheap asses

ERR_CERT_AUTHORITY_INVALID

You'll think they can afford at least $500 per domain per year, or go nuts and get the full deal for $2000, or low bid it and get a standard SSL certificate for $200 and extended validation for $300/year or $500 for 25 subdomains.

And if they commit to 3 years then it gets way cheaper.

But it's so common that all those SSL errors get ignored, not just a valid CA, but dated in the future or expired even if it's self-signed.  ::)

Plus using PHP and MySQL, depending how lazy their web developers where, I bet there are many SQLinjectable pages in there.

I'm so glad I never worked on the server side of things, but from the client side of things it's unbelievable to see how many holes there are on servers just to save a few dollars.

 

Offline gnif

  • Administrator
  • *****
  • Posts: 1127
  • Country: au
Re: Got to love the AU government's stance on security
« Reply #5 on: October 25, 2014, 12:51:14 am »
Cheap asses

ERR_CERT_AUTHORITY_INVALID

You'll think they can afford at least $500 per domain per year, or go nuts and get the full deal for $2000, or low bid it and get a standard SSL certificate for $200 and extended validation for $300/year or $500 for 25 subdomains.

And if they commit to 3 years then it gets way cheaper.

But it's so common that all those SSL errors get ignored, not just a valid CA, but dated in the future or expired even if it's self-signed.  ::)

Plus using PHP and MySQL, depending how lazy their web developers where, I bet there are many SQLinjectable pages in there.

I'm so glad I never worked on the server side of things, but from the client side of things it's unbelievable to see how many holes there are on servers just to save a few dollars.

I have often used a self signed CA to provide some level of encryption to a backend/database interface, and I sign it with my own CA which is installed on my local PC as a trusted root authority, so the protection is just as good as if I purchased the cert. The issue here is not the SSL cert, it is that they have exposed their database via PHPMyAdmin to the world, and all you have to do is hit the secure website to find it.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

Note: I am NOT a moderator or arbiter of disputes, my Admin level of access is so that I can perform management of the server on behalf of Dave. Do not contact me over such issues
 

Offline miguelvp

  • Super Contributor
  • ***
  • Posts: 5549
  • Country: us
Re: Got to love the AU government's stance on security
« Reply #6 on: October 25, 2014, 12:59:30 am »
Unless someone hijacks the DNS table and redirects you to a proxy and performs a man in the middle attack.

If it has customer data or anything important, you are better off paying the CA fee.

But yeah, that's the least of their problems.


 

Offline gnif

  • Administrator
  • *****
  • Posts: 1127
  • Country: au
Re: Got to love the AU government's stance on security
« Reply #7 on: October 25, 2014, 09:38:18 am »
Unless someone hijacks the DNS table and redirects you to a proxy and performs a man in the middle attack.

If it has customer data or anything important, you are better off paying the CA fee.

But yeah, that's the least of their problems.

MITM attack wont work if I am signing it with my own CA... there is a chain of trust there. But yes, for anything serious a real cert is always used, but server to server comms, or backends for development, etc... signed with my own CA is enough provided that I never let my CA's private key out into the wild. (IE, look at how puppet works)
« Last Edit: October 25, 2014, 09:40:14 am by gnif »
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

Note: I am NOT a moderator or arbiter of disputes, my Admin level of access is so that I can perform management of the server on behalf of Dave. Do not contact me over such issues
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf