Security Through Obscurity

Two night’s ago (March 20, 2017) I came across the funniest bug report from Mozilla.  I know the bigger question is why am I going through bug reports. Let’s just say it’s an interest and it’s a reminder to not be complacent.

Anyway, this complaint was hilarious and I wish I had grabbed a screen shot of it. To be honest it was refreshing to smile. It became even funnier as curiosity peaked and I had to check the website site out… and wow…

This is the complaint that was filed and it was rather obvious the complainant failed at reading:

:: Developer Documentation Request

Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, [*www.FrontPageWebsiteFromLate90.com] is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business.

A pleasant short reply at how to mitigate the error produced from the browser to which the “developer/owner” replies back with

I don’t want the notice of insecure password/log-in on my website. You do not have permission to put it there. We have our own security process and have never had a problem.

RESOLVED WONTFIX

*I have removed information to protect the stupid.

 

To which the bug report is closed as it is not a bug report and then locked since the reddit community got wind of it – hilarity ensues in a matter of a few hours. When it comes to the internet you never publicly throw a gauntlet down – especially when it comes to security.

 

So, as one can image things turned pretty bad which in turn also means other domains that shared hosting on that address would be vulnerable. That one hubris act created a domino effect.

What was strange (based on readings from reddit)?
I’m sure there would have been more examples at how not to setup a webserver, but the site was taken down, ip address changed, and the domain is being parked as of writing.

  • plainText password fields
    • Wow…and wow
  • Unmaintained coding
    • Old code isn’t the issue, it’s the fact that you can tell it was never maintained
  • urls claiming to be secure – why?
    • This was the link to submit credit card and user information on the header
      • http://www.IamSTUPID.com/SSL_Subscribe/subscribe_us.aspx
        • Notice no HTTPS and then “SSL” directory for added security <sarcasim – no security>
    • It looks like someone may have mentioned that this was an unsecured practice and so this was the solution placed on the footer link (yes, ontop of this the owner forgot to update all links)
      • https://secure.netsolhost.com/IamSTUPID.com/ssl_subscribe/subscribe.htm
        • Utilizing a shared host’s certificate to pass a transaction just to get rid of a complaint?
    • This really made me laugh: “All credit card information is encrypted using our Secure Transaction Server. If you have any questions about our online security, please don’t hesitate to call us at XXX.271.3319
      • “secure transaction server” when passed as plainText
  • JS coding that have been depreciated
    • susceptible to XSS  attack
    • No bounds checking
    • Unhandled null exception errors allowed
  • Database arguments
    • susceptible SQLi (SQL Injection) – payload
  • Login page URL sent in plainText
    • http://www.IamSTUPID.com/html/login.aspx

Server Side (this hurts more)

  • Full debug logs provided for all exceptions
  • IIS responding to version and shows that it is an unpatched version
    • ASP full debug enabled
  • Open and responding ports
    • 21, 26, 80, 110, 135, 143, 443, 1433, 49154
  • The ones that raise and eyebrow
    • 26, 135, 1433, 49154
  • Responds without certificates
  • Susceptible to UNC mapping

In my view – the site was most likely already compromised by bots and quietly harvesting data – sucks for his “high profile clients”. The fact that it was publicly brought to light would have been the only human discovery.

There was so much fail from bad coding, bad practices, bad server setup,… it shouldn’t be a surprise how easy it was to spot the deficiencies of the site and server. The funny part is that I think a lot of people think that HTTPS would have been the solution, but it’s not. It would have only masked a little. It is only an added layer for security/privacy. If anything it shows how there is a domino effect. Security is built from the core up and you never traverse backwards, otherwise you perpetually mitigate issues (it is a lack of sympathy).

credit image: xKcd

Related Post

Leave a Reply