Monday, July 6, 2009

Exposing Security holes is not funny business

This is being written for CYA purposes.

In reading some tweets from someone I noticed a link to a site which was personally and professionally relevant.

A nice usage of a shared calendar and I investigated it deeper.

As I usually am want to do, I tested their network for basic security holes which would usually point to junior admins work or one of those "damn forgot to fix this" moments of us senior admins.

And sure enough their NAB is exposed. Not only that but the server IDs as well as most employee ID files are attached in the NAB and free to be downloaded. Oh and employee personal details are exposed as well, kids, home address, etc.

Odds the server IDs have a password? I'm not going to check to find out but my guess is they don't.

And the top 2 senior executive ID files? Yes, you guessed it attached.

I sent one of the executives, responsible for IT, an email outlining what we can do to help them with this problem and that they should really take notice of it.

Sometimes this leads to clients, sometimes not. But it does point out the larger picture which is just because you run Domino on a non-Windows platform, doesn't mean your IT staff knows anything about securing Domino, although I am sure they are excellent at their OS of choice.

This is NOT funny and sadly it is an R8.5 server too which means that either they did this on their own, with no advice or worse another BP did it and really exposed them to potential lawsuits and other potential issues.

Either way hopefully we will at least be able to discuss this with them further before it goes on like this for too long.

The bottom line is NEVER make your NAB open to the outside world. Default should always be No Access. If you have an internet connected server you are just asking for trouble.

Luckily they have it set to reader and not editor! I will NOT test delete but my guess is that is available to me, although adding a person is not.

And for those who question how bad is this, I COULD recreate any of their servers, then their certs, after all I have valid server IDs and user IDs and can read the NAB so I could build a server to match theirs and then create accounts as the executives and start sending out 100% valid emails. In fact this is how I had to save 2 customers in the last year, I posted about them too.

Not funny at all. A great write up case potentially for Lotusphere.