When will they ever learn
by Volker Weber
If you choose convenience over safety your security nightmares will haunt you for a very long time. Case in point: Open Domino address books with IDs attached. Anybody want to bet on how carefully passwords are chosen? No, I don't want to link to any address books in the .mil domain. :-)
Comments
Oh. My. God.
How can an organisation leave itself so wide open like this? Good grief.
Ben, think 'server id' and the aforementioned TLD.
Convenience or laziness?
I am not sure what is convenient about an open Domino Directory, but they used to be open by default and my guess is that some admin there never got around to locking down the ACLs.
Well, I sent an email to some people listed in the Security tab of their server doc.
We can all laugh at their pants being down, but someone should show them how to pull them up...
And who knows, it could turn into some business :)
Chris, Lotus chose convenience by shipping the open configuration prior to 5.0.something.
Of course, Rocky. Do you need some ideas how to use Google to come up with more potential customers. Wolfgang Flamme can tell you a very long story how he tried to convince Lotus customers to pull up their pants and they did not even care.
Things like this lead to consultants saying that Domino per se is an insecure web server. :-(
Probably true, Volker (re: not even caring). I don't think I want to resort to trolling Google for potential clients, but if it is in front of me I'll at least try to warn them :)
It's interesting. A job that I interviewed for this past summer had some huge security flaws in their site as well. This was after the interview in which they told me that their admin was a "liability." I found the errors at home while waiting for the second interview and let them know all about them. They thanked me profusely and then I didn't hear from them for weeks.
When I called them back, they said they had decided to keep their admin after all. Very strange how some companies can act like this...
-Grey
It also has spouses name and home telephone number etc - so wrong!
Although whilst making a good point about an open server - is it wise to link directly to an individuals document? - Some people might use the information wrongly! - or maybe you know the guy.
A lovely way for a email-harvester bot to get good email addresses ... I wouldn't be too surpised if they suddenly get thousands of more spam emails than usual ...
What about the legal implications of revealing such sensitive data? Is it possible for someone to sue the company for releasing such personal details to the public without their consent/approval?
Also, accessing their site without typing in the "www." will reveal all the databases listed on their webserver ... I wonder which of those databases are hackable?
More importantly, why are they not using a notes database for their website? Why use HTML pages?!? :-)
Ugh!
Once again: This is not an isolated incident. This site is only an example for a very large number of similar sites, some of them having even larger issues.
Volker: Lotus was very aware of the issues. In fact, I was personally involved (from the Domino Admin side of things) in most of the work items to make sure that these things get resolved:
- We locked down all system template ACLs in R6.0 to "Anonymous=No Access" and also, if possible "-Default-=No Access".
- We added a step to the server setup wizard which would, by default, lock down all other databases found on the server, too.
- Furthermore, we extended the core authentication system of the server so that ALL processes (smtp, pop, http, etc) would pay attention to the server security lists (in R5, this only applied to NRPC/Notes client access).
Now obviously, you need to actually install and deploy R6 to get these things out of the box, or stay on R5 installation and tweak it manually.
I actually, while looking for a job a while back, noticed that the "Jobs" database that housed this companies open job postings was written in and served via Domino. Their search was absolutely horrible, so I simply removed the query string from the URL and hit the database with $$DefaultNav. This produced a HUGE list of views that allowed me to see not only a Lotus Notes developer positionwhich was why I was there but also a complete listing of all people over the last several months that had applied to various jobs - included in this was their resume, contact info and even as far as their SSNs (as the company did background checks).
Stunned I contacted a buddy who knew someone in IT that worked at that company. I showed the buddy who quickly thanked me for the heads up and went to his boss. I then heard from his boss complaining that I hacked their systems and that he could press charges/etc. (Later that day however he got the whole story and called me back apologizing that he mis-"understood that I broke into the systems and was caught stealing info - not that 'someone' COULD break in and steal info and I was the one who brought that to [their]attention").
Yes, I am aware that R6 does not have these problems anymore when you do a fresh install. What I am saying is that the mistakes you made in the past will haunt you for a long time. Microsoft is in a similar trap.
Just tried the link, got a u/pw prompt. So I guess Rocky tickled their bippies
Last year I had a contract at Wachovia Bank. It was one of the most poorly managed and devleoped Notes environments I've ever seen, and between their admin and app mess and HP's handling of the contractors contracting to contractors at 5 levels or more, I can say that it was the worst experience of my working life. Glad to be out of there.
My similar case in point: Almost everyone's ID was stored in the NAB (45K+ users!) and they all had the same very simple password.
I have seen it many times now. I have also had the argument that its a security flaw in Domino. My opinion.. of course its not. Its not a problem with the application and it doesn't require a patch to fix it. The most basic Admin training in the world will resolve this issue. Even a quick google will list the top 10 most basic things an administrator should do with Domino.
It's easy enough to find other similar sites via Google. A bit scary if you ask me. The questions is, should we track down these sites and inform them? Do we have any sort of obligation? Probably not, but I can't help feel like I should inform sites like this.
Well, personally, whenever I encounter a website using Lotus Domino I do some basic security-testing.
If I find any obvious holes then I report them to their postmaster/admin.
I think that it is just good to help some of the clueless Domino-Admins out there. It will help Domino in the long run if we can help secure the default, insecure installations out there.
