Published on 2021-03-01. Modified on 2021-03-02.
These last couple of days I have been working for a company that contacted me because they where suffering from some "hacking" problems on their website. The company is run by two hardworking entrepreneurs, who know a lot about how to run a successful business, but close to nothing about computer related security.
These guys naturally trusted their entire IT infrastructure to a couple of external IT companies and they also used a couple of one-man freelance developers for different smaller tasks.
It is a real shame, but I must admit that I am not surprised at my findings. None of these IT companies or one-man freelance developers had the least knowledge about security. What they did is just about what everyone else is doing these days - blindly following hype and trends!
Monkey see, monkey do - blind following
I'm going to skip ahead because the complexity of the problems are almost too difficult to describe, but let's just say that everything is a mess! From how the computers at the office are being used, to the implemented password policy, to lacking firewall implementations, to yes, just about everything is a problem. However, despite multiple possible attack vectors can you guess where the attackers actually have chosen to focus their payload?
I would have expected that the websites would be infested with web shells, SPAM bots, cross site scripting, and all the other "good stuff", but no.
And I'm sick of it!