Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Info Security : Worst cases scenarios of this job Share/Save - My123World.Com!

  1. #11
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    And here comes a great one by my Manager who claims himself a big techi guy:

    Couple of days ago, for an Internal Penetration Test, I have been advised by him to take whole desktop at client site to perform the task
    Explanation: Desktops are more powerful than laptops ... shouldn't he know that our laptops have better config than desktops? A perfect example of lame manager.
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  2. #12
    This is an interesting thread! Here are 2 incidents that stand out in my career:
    1. Several months ago, while performing PT for a bank, I managed to get a SQLi shell via their corporate website. xp_cmdshell gave me the way and I was able to execute commands. I submitted the report with an ipconfig output and the management had no clue what it was. So I had to improvise, use some inside help in getting a screenshot of shutdown -s -t 600. That was when the management freaked out. In the end my inside friend got a show cause and the site was fixed a month later.
    2. In another case, a customer wanted us to do DoS testing. I managed to generate enough requests to their Oracle Listener service, that it crashed. I restarted the service with the help of the admin guys and made a formal management report. At the "Findings Presentation" with the management and tech guys, a month later, I was surprised to find that the people who had approved the DoS testing were no longer with the company and the current management didnt like what I had done. That customer a real pain in the ***. Took me a week to explain the dangers and advantages of DoS. Since then I make sure that the customer really understands what he approves us to do.

  3. #13
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    @bond dont tell me tht happend :P
    @kani , lol

    He he I will miss all the fun of consulting :P
    Hacking Is a Matter of Time Knowledge and Patience

  4. #14
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    I had a meeting with a client to discuss the observations and do a kind of moderation on the risk rating.

    The Client public facing business portal failed all ten risks of the OWASP.

    The client comes out 'I have been not hacked for the last 10 yrs and you are talking to me about critical risks'

    I felt like tearing myself then and there

  5. #15
    My exp.

    I was for internal VA at client site. The server had a custom business application.
    When I portscanned I found many ports open, Most of them were behaving like discard service.
    I was gonna recommend to close all unknown apps. So just to make sure that I dont recommend to close the custom app by mistake, I went to application owner to know what port is being used by that custom app.
    That guy called on tech team head. Tech team HEAD answered, "What port ? No No our application communicates with clients directly."
    I requested for a person from the programmer team. Next day the programmer (If he was not dummy) also said the same thing.

    One funny incident:

    Me and a good colleague of mine were out for process audit.
    While I was sitting silently, my colleague was questioning the young lady who was DBA there.
    After a couple of questions, He said, "Anyways... Its 1:30 now, Its time for lunch."
    On that the girl with a mixture of anger and fear on her face said, "Naah .. I carry my own tiffin !" :P
    To that my stoned colleague then somehow managed to convince her that he was not asking her out. He was just saying that we will continue the questions after lunch.
    Fairy tales do not tell children the dragons exist. Children already know that dragons exist. Fairy tales tell children the dragons can be killed

  6. #16
    Quote Originally Posted by Godwin Austin View Post
    My exp.

    I was for internal VA at client site. The server had a custom business application.
    When I portscanned I found many ports open, Most of them were behaving like discard service.
    I was gonna recommend to close all unknown apps. So just to make sure that I dont recommend to close the custom app by mistake, I went to application owner to know what port is being used by that custom app.
    That guy called on tech team head. Tech team HEAD answered, "What port ? No No our application communicates with clients directly."
    I requested for a person from the programmer team. Next day the programmer (If he was not dummy) also said the same thing.

    One funny incident:

    Me and a good colleague of mine were out for process audit.
    While I was sitting silently, my colleague was questioning the young lady who was DBA there.
    After a couple of questions, He said, "Anyways... Its 1:30 now, Its time for lunch."
    On that the girl with a mixture of anger and fear on her face said, "Naah .. I carry my own tiffin !" :P
    To that my stoned colleague then somehow managed to convince her that he was not asking her out. He was just saying that we will continue the questions after lunch.
    Second one was hilarious ;-)
    Last edited by neo; 07-01-2011 at 09:42 AM.
    Orkut id: neo1981
    Blog: infosec-neo.blogspot.com
    Nothing is Impossible*


    *Conditions Apply

  7. #17
    2. In another case, a customer wanted us to do DoS testing. I managed to generate enough requests to their Oracle Listener service, that it crashed. I restarted the service with the help of the admin guys and made a formal management report. At the "Findings Presentation" with the management and tech guys, a month later, I was surprised to find that the people who had approved the DoS testing were no longer with the company and the current management didnt like what I had done. That customer a real pain in the ***. Took me a week to explain the dangers and advantages of DoS. Since then I make sure that the customer really understands what he approves us to do.
    @karniv0re
    You was too kind, I would have said I have written permission for what all things we did. Like it or not thats not my proble.
    Orkut id: neo1981
    Blog: infosec-neo.blogspot.com
    Nothing is Impossible*


    *Conditions Apply

  8. #18
    InfoSec Consultant the_empty's Avatar
    Join Date
    Jul 2010
    Location
    the blue no-where
    Posts
    155
    Blog Entries
    2
    I just came back from a client where CISO writes down password to all network devices, jr. net admin uses those to provide unauthorized internet access to a girl he had crush on, a development girl stores version-wise application source code, all documentations, database having biometric data (entire) etc on a public share (along with family photos and picnic plans :P)
    ACCESS is GOD

  9. #19
    LoL, the_empty that was topper on all above
    Orkut id: neo1981
    Blog: infosec-neo.blogspot.com
    Nothing is Impossible*


    *Conditions Apply

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •