Guilty ?

[Chance1234]

Just a observation, being a regular user of tek-tips across a vareity of boards , it is amazing how much you can pick up about what is happening in certain companies,

also on the lot of the programming side, such things as people askign how can they for example password protect a program is great especially when they post wiht there work e-mail !

also the amoutn of financial and staff data that appears when people post examples,

It would take a lot of sitting down an anaysising the boards but you could gather some very useful and potentially disturbing informaiton

Chance

http://WWW.5YLAC.S5.COM

 

[garwain]

It happens everywhere on every technical forum and mailing list, and newsgroup. I have advised people before and continue to do so. The best is in the apache and linux forums where a person will post their entire server setup along with their configuration files. Now they have put out (in 1 post) a list of domain names and IPs pointing to their machine, every important process running, and their current configuration. These posts contain all the information a hacker could want.

I've also seen people say "HELP! I'm infected with nimda See these lines from my log say so:"
nice, you just alerted the world that there is a hole open on your server, and pointed them to it...

Whenever I post anything, be it code, sql output, log files, or config files I'll be careful to overwrite any data that could be considered sensitive.

 

[rycamor]

Amen to that.

The simple truth is that very few business managers or computer people take security seriously. I was just on the phone helping out the owner of an IT head-hunting firm who explained to me that every email address on their server used the email name as the password. And he wasn't asking me to change this!! He just stated it as a fact, to explain how I could log in and check out the accounts.

And just about everyone who has asked me to do remote work on a Linux or Unix server has emailed me the root password in plain text, in spite of my insistence to use PGP, or at least to just tell me over the telephone. In these cases, the first thing you have to do is change that password, fast.

Yes, I'm sure there are more than a few unscrupulous people browsing through Tek-Tips to gather this kind of information. In fact, once, back in '99, I was hacked, and I believe it was by someone who found me in Tek-Tips. I haven't figured out exactly what happened, to this day. I admit that I was a bit more of a newbie at that time, but I still never posted any sensitive information.

This was a serious hack. Somehow, I think I mentioned my domain name, and the fact that I was learning FreeBSD. So one day I came in to my office, and went to log into my FreeBSD box as root, and it popped right in without even prompting me for a password. Somehow the hacker had wiped out the root password!! I didn't find anything else missing, but I wiped and re-installed the box anyway.

Then, I received an email, notifying me of a response to one of my Tek-Tips posts. The funny thing was, I never made that post! Somehow, the guy got my Tek-Tips handle and password, and impersonated me, posting an embarrassing newbie-ish question, and signing it 'Ryc4m0r' at the bottom. Obviously it was someone just toying with me, because I had no information worth stealing, but it just showed me how easy it is to be a target, even when you are careful. I'm sure a good many of the posters here have been hacked, and never even realized it. -------------------------------------------

"Now, this might cause some discomfort..."
(

http://www.wired.com/news/politics/0,1283,51274,00.html)

 

[BeckahC]

I always worry about this. When I post code, I put in things like "insert database name here" and field1, field2 field 3, etc... You can't be too careful. It always shocks me when people just post a whole page of code, complete with server and database and field names and then some... BeckahC

 

[GUJUm0deL]

BeckahC, right on! I also when post portion of my code change all relevant info. to formNAME, fieldNAME, email@here.com, etc
Not because I wanna mislead someone but for security reasons...it also amazes me when some people actualy post the link where they need help in, and at the same time leak some sensitive information in the thread... I have not failed; I merely found 100,000 different ways of not succeding...

 

[sleipnir214]

It's not just just people here. It's not just techies, either. And it's not just now.

Ever seen one of the WWII posters reminding people that "Loose Lips Sink Ships"?
______________________________________________________________________
Never forget that we are
made of the stuff of stars

 

[Wullie]

rycamor,

From what you have said, I might just know how this person got these details...

I am not going to get into this on TT but if you want, e-mail me at the address below.

And, for anyone else thinking I have something to hide, I don't, it's just something I don't want the wrong people to see.

Hope this helps Wullie

sales@freshlookdesign.co.uk

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

 

[aexley]

Just a moment of thanks to you all for pointing out a couple of things I do all the time. I tend to use fieldnames & database names in my posts, ostensibly for clarity, but I realise now that it's probably not a wise thing to do. Whilst we are well protected here now (we weren't at Christmas when a mass-mailer swept through the system) nobody's invulnerable and handing out specific pieces of information regarding your system is obviously a daft thing to do.

Thanks,

aexley

 

[BeckahC]

It is very important to be careful what we post! I am so very, very careful not to even so much a spost my company name... I don't think people even know where we're located... though it's simple to say East cost of US because of how I speak and when I am on-line... I would be very afraid of giving out info that doesn't "seem" important or sensitive to me... but what if it can be used in a way I do not know to find out more info, and then to get more and more, and then the whole "leak" can be traced to me, I'm out of a job, etc.... I have been tempted to put more about me or about the company or the work I do... and then I think.... would I sleep at night? ;-)

What we know, no matter what level of security access we have in our companies, is sacred. If we give up those secrets (secret or not) to people we do not know, then we are truely guilty, IMO, of a terrible, terrible breach of ethics.

(Sorry if I sound a bit pushy, I feel strongly about it, that's all) BeckahC

 

[sleipnir214]

BeckahC:
What's the old adage? "Just because you're paranoid doesn't mean the whole world's out to get you."

Folks on the internet certainly don't take security seriously. It's not that they don't take it seriously enough -- it's that they don't think about it at all.

I have entries in my web server logs from as late as two days ago showing attempts by IIS worms to infect my system.

Every one of us knows of lusers who open every damned email attachment that arrives at their inboxes.

And then it's we Morlocks who have to work all weekend because some Eloi saw fit to turn off his virus checker. ______________________________________________________________________
Never forget that we are
made of the stuff of stars

 

[SteveTheGeek]

sleipnir,
I've always thought the saying was "You're only paranoid if they're NOT really after you."
Works for me.
-Steve

 

[sleipnir214]

SteveTheGeek:
[expletive deleted]. Yeah, leaving that "not" out of the statement does change it's meaning, doesn't it?

BeckahC:
Change 1: In the first paragraph of my previous post, replace the phrase "world's out" with the phrase "world's NOT out". ______________________________________________________________________
Never forget that we are
made of the stuff of stars