October 14, 2014 at 14:32Open, come in! Or a safety audit non-partisan
Early March. For me personally, this is not a very pleasant time of the year. There is an unpleasant smell of dampness in the air, and the shoes fill up with moisture very quickly, you just have to go through the loose wet snow. Through the snow, colored waste products of domestic animals, yellow-orange filters of cigarette butts, plastic bags and other garbage come out. At 9 a.m. this is not so noticeable, and internally I was glad that I would spend lunch time in the office. Half asleep, I went to work and thought about the task of optimizing the script.
Today I came to work earlier than my colleagues. Before their arrival, about 20 minutes remained and I wanted to have fun before a busy day. Having dug in YouTube's subscriptions, I did not find anything interesting and therefore decided to find a directory on the network where we usually exchange files. Opening Explorer, I hovered over the address bar and clicked. The cursor blinked affably and invited to enter the directory address. Thinking and looking at the wall, I entered random numbers and pressed Enter. After 3 seconds, the standard sound of opening the Windows folder clicked from the speakers.
Turning my eyes to the monitor, I saw not the usual garbage dump of files, but several folders with unusual names for me - “1CBase”, “Tax”, “Samples of documents”, “SONO keys”. Well yes, right - IP 192.0.2.10. This is definitely not a local garbage can of 192.168.1.101.
Looking around the office, I smiled evilly. Thoughts arose and disappeared instantly:
- dude, you can earn dough on this;
- here it is glory - comes unexpectedly;
- Fuck I climbed here.
Thinking, I realized that I did not know how to benefit from the accounting data and 1C databases. Interrupting an unknown inner fear, which either ran up to the throat, or sharply hit at the heels, I began to study the files. Indeed, it was a real computer accountant of the company IT-Wolfram Gold Kazakhstan, located in the city of Almaty. Salary estimates in xls files, statements from employees in rtf, scans of jpeg documents, access keys to personal accounts of the taxpayer - this is just the tip of the iceberg. After a little thought, I downloaded the places.sqlite file (the history of visits to Mozilla Firefox), studied it. I looked at the saved passwords and re-read the logs of Internet messengers. Cool, I felt like a detective. The impression was that I could manage the financial side of this company or, speaking in black, merge the dough.
But in me lived a respectable citizen of the Republic of Kazakhstan. Among the documents in the file “My CV.docx” I found the accountant’s mobile phone. This was a woman of 52 year of birth. Ambitious, sociable and thirsty for new knowledge, with vast experience in various organizations. Having
visited the operator’s website, I sent SMS: u menja kljuchi nalogovoj i bazy prodam ili udalju skype profixakep
I again saw the shades of the detective.
After a couple of minutes, a certain Talgat wrote in skype. I understand that this is in my case. A colleague came in, I greeted him and pretended to be very busy with work. I wrote:
- Good afternoon. I'm listening.
There was a pause for about two minutes. They answered me:
- Regarding SMS ... Is there evidence?
- Yes, keys to SONO, bases, documents. I am not an attacker, I just show the vulnerability.
I clearly did not want to answer. Having pressed that I poured all the info onto the hard drive and got access to Internet banking, I got the answer:
- The computer is old, the databases are old, the info is not relevant.
Suddenly I wanted to forget all this and get to work. I blocked Talgat and deleted it from the contact list. I used Skype with my real data, I didn’t upload anything to the hard drive, they were afraid of nothing and I switched to work.
Arriving home and going to read the VKontakte feed, I found a private message from Talgat:
- I’m looking, you’re a good guy, you are fond of robotics and your site is useful. Why scare grandmothers? Our accountant panicked, called the chief. The chief said to write a statement to the authorities. I persuaded him not to do this and explained that you are just a kulhacker - and even without anonymity (!) And just don’t understand what you are contacting. You are lucky that I figured out what’s the matter. Others would not understand. Go straight to the police. Don't do this anymore! Do useful things.
This message hit me. It seems he showed a mistake, he admitted that he found it, and here the police are on you.
Communication began:
Me: So I said that I was not an attacker. If the disk partition is shared and visible to anyone.
Talgat: Not to anyone, but to users of the local network.
Me: You tell the boss. I didn’t even use a scanner, but accidentally entered an IP address from the range of Kazakhtelecoms into the address bar. It's a pity there is no telnet client in 7-ke, and putty was too lazy to download.
Talgat: I’ll explain it more simply. No one shared files on sharing. Using a vulnerability is like breaking a bad lock. This does not give you a legitimate reason to break open a door and steal someone else's. So?
Me: How not to spread. It was the files that had public access via the SMB protocol. No authorization. Almost any member of the Internet could access. Another would have leaked the Old (and believe me, there is where) and your company would have incurred losses. And this is not a vulnerability. These are crooked hands of the system administrator.
Talgat: I spoke with the chief. We have nothing secret in the bases. Banking without a card does not work. There is nothing to bear the loss. As for crooked hands, it seems: I'm starting to understand what’s the matter ...
I: But we know what’s the matter. It is better to configure the LAN and access to devices and partitions once.
Talgat: Ipishniki, the white network ... I did not think that everything was so neglected.
Me: So let your boss give me a prize for a security audit.
Talgat: Our sysadm is, in general, a network installer. And I work on the project as a stupid user.
Me: It is necessary to write an article, otherwise I can’t get an invite to Habr.
Talgat: I’ll talk to the chief about the audit, I’ll have to rake it myself now. Thanks again!
I woke up from the fact that someone was pushing me on the shoulder. Raising my head, I saw my director and realized that I again fell asleep at the workplace, staying late until late yesterday. It's time to tie with optimization and do the following tasks.
Today I came to work earlier than my colleagues. Before their arrival, about 20 minutes remained and I wanted to have fun before a busy day. Having dug in YouTube's subscriptions, I did not find anything interesting and therefore decided to find a directory on the network where we usually exchange files. Opening Explorer, I hovered over the address bar and clicked. The cursor blinked affably and invited to enter the directory address. Thinking and looking at the wall, I entered random numbers and pressed Enter. After 3 seconds, the standard sound of opening the Windows folder clicked from the speakers.
Turning my eyes to the monitor, I saw not the usual garbage dump of files, but several folders with unusual names for me - “1CBase”, “Tax”, “Samples of documents”, “SONO keys”. Well yes, right - IP 192.0.2.10. This is definitely not a local garbage can of 192.168.1.101.
Looking around the office, I smiled evilly. Thoughts arose and disappeared instantly:
- dude, you can earn dough on this;
- here it is glory - comes unexpectedly;
- Fuck I climbed here.
Thinking, I realized that I did not know how to benefit from the accounting data and 1C databases. Interrupting an unknown inner fear, which either ran up to the throat, or sharply hit at the heels, I began to study the files. Indeed, it was a real computer accountant of the company IT-Wolfram Gold Kazakhstan, located in the city of Almaty. Salary estimates in xls files, statements from employees in rtf, scans of jpeg documents, access keys to personal accounts of the taxpayer - this is just the tip of the iceberg. After a little thought, I downloaded the places.sqlite file (the history of visits to Mozilla Firefox), studied it. I looked at the saved passwords and re-read the logs of Internet messengers. Cool, I felt like a detective. The impression was that I could manage the financial side of this company or, speaking in black, merge the dough.
But in me lived a respectable citizen of the Republic of Kazakhstan. Among the documents in the file “My CV.docx” I found the accountant’s mobile phone. This was a woman of 52 year of birth. Ambitious, sociable and thirsty for new knowledge, with vast experience in various organizations. Having
visited the operator’s website, I sent SMS: u menja kljuchi nalogovoj i bazy prodam ili udalju skype profixakep
I again saw the shades of the detective.
After a couple of minutes, a certain Talgat wrote in skype. I understand that this is in my case. A colleague came in, I greeted him and pretended to be very busy with work. I wrote:
- Good afternoon. I'm listening.
There was a pause for about two minutes. They answered me:
- Regarding SMS ... Is there evidence?
- Yes, keys to SONO, bases, documents. I am not an attacker, I just show the vulnerability.
I clearly did not want to answer. Having pressed that I poured all the info onto the hard drive and got access to Internet banking, I got the answer:
- The computer is old, the databases are old, the info is not relevant.
Suddenly I wanted to forget all this and get to work. I blocked Talgat and deleted it from the contact list. I used Skype with my real data, I didn’t upload anything to the hard drive, they were afraid of nothing and I switched to work.
Arriving home and going to read the VKontakte feed, I found a private message from Talgat:
- I’m looking, you’re a good guy, you are fond of robotics and your site is useful. Why scare grandmothers? Our accountant panicked, called the chief. The chief said to write a statement to the authorities. I persuaded him not to do this and explained that you are just a kulhacker - and even without anonymity (!) And just don’t understand what you are contacting. You are lucky that I figured out what’s the matter. Others would not understand. Go straight to the police. Don't do this anymore! Do useful things.
This message hit me. It seems he showed a mistake, he admitted that he found it, and here the police are on you.
Communication began:
Me: So I said that I was not an attacker. If the disk partition is shared and visible to anyone.
Talgat: Not to anyone, but to users of the local network.
Me: You tell the boss. I didn’t even use a scanner, but accidentally entered an IP address from the range of Kazakhtelecoms into the address bar. It's a pity there is no telnet client in 7-ke, and putty was too lazy to download.
Talgat: I’ll explain it more simply. No one shared files on sharing. Using a vulnerability is like breaking a bad lock. This does not give you a legitimate reason to break open a door and steal someone else's. So?
Me: How not to spread. It was the files that had public access via the SMB protocol. No authorization. Almost any member of the Internet could access. Another would have leaked the Old (and believe me, there is where) and your company would have incurred losses. And this is not a vulnerability. These are crooked hands of the system administrator.
Talgat: I spoke with the chief. We have nothing secret in the bases. Banking without a card does not work. There is nothing to bear the loss. As for crooked hands, it seems: I'm starting to understand what’s the matter ...
I: But we know what’s the matter. It is better to configure the LAN and access to devices and partitions once.
Talgat: Ipishniki, the white network ... I did not think that everything was so neglected.
Me: So let your boss give me a prize for a security audit.
Talgat: Our sysadm is, in general, a network installer. And I work on the project as a stupid user.
Me: It is necessary to write an article, otherwise I can’t get an invite to Habr.
Talgat: I’ll talk to the chief about the audit, I’ll have to rake it myself now. Thanks again!
I woke up from the fact that someone was pushing me on the shoulder. Raising my head, I saw my director and realized that I again fell asleep at the workplace, staying late until late yesterday. It's time to tie with optimization and do the following tasks.