Wednesday, June 29, 2011

LulzSec was right

I'm posting a story that someone communicated to me, which highlights how bad the state of IT security is. Take it with a grain of salt or a bar of chocolate (which is better than a grain of salt). I for one believe it. I've paraphrased some parts where I thought that idioms might hint at the identity of the person:

I decided, not for shits and giggles, but because I was bored, to see how easy it really is to find credentials on google.

It's *really* easy.

I wasn't even expecting it to work, so I wasn't even on a proxy.

It's just a simple search like:
site:[domain part to target, like com or (this weeds out all the .edu sites that have example SQL)] filetype:SQL password

Then, look at all the companies that either have hashed passwords, or in the case of some, plain text ones... Done.


I didn't believe I could have found real credentials, so I tried one gmail account. It worked. But google has extra protection. It asks for the answer to one of a few questions, or a mobile verification when you log in from a new location.
Unfortunately, the site on which I found the credentials stored a city name in the user table and one of the questions is "from which city do you normally sign in" or similar.

So, I sent the poor guy an email from his own account, reproduced below.

But this raises some questions...
I can understand somehow, in some universe with really bad security, accidentally exposing a .bak file for a backed up database, but how the hell can you go through the step of scripting out your entire database, including data and then expose that one, massive text file? That's just negligence far beyond what Lulzsec was going on about.
How can this not already have come to the fore? If I were a criminal, I would have already exploited all those exposed accounts so that the next guy who comes along is too late. Keep in mind that I only tried one account, once, and it worked first time.

I really feel quite sick about the whole thing.


Hi [redacted],

[redacted].com has your username and password online.

It also has [redacted] as your location.
Because you reused your username and password, even with Google's extra verification where it asked for where you normally sign in from, your account could be accessed.

Change all your passwords and report this to the website and the authorities.

Never reuse passwords across sites or trust people to store your information securely.
I just decided to have a look around because I was wondering if all the lulzsec stuff was actually highlighting the terrible state of things. It clearly is.

I'm sorry if this email causes you any distress. I honestly didn't think I would get access with no effort.

I'm sure I can be tracked down if anyone tries, but please take this in good spirit. It could have been someone with criminal intent.



No comments:

Post a Comment