Data Leak! What Not to Do!

Posted: September 19, 2007 in Passwords, Threats, What doesn't work

The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed.  Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.

http://staff.washington.edu/krl/stats/pwc/

Amazing that someone would to this day post such information out on a public website.  Nice to know if this was my next external penetration target.  Wait it gets better!  Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:

http://staff.washington.edu/krl/stats/ 

http://depts.washington.edu/ast/projects.old/

http://depts.washington.edu/ast/projects.old/pwedit.html

Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:

  • Home directories /rc, /cg, /mailer

  • The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.

  • The large directory listing with a plethora of information

  • The nice picture of your license

  • A password hash U:4001     A:2B314469   N:noyd       P:MWlJQdaJvoxaE    G:15       C:6

Ken

Ken 

So why did I post this?

Two reasons.  One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others.  Of course I plan to send an email to Ken and show him this blog entry.  If there is any follow-up to the story I will post another message.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s