These idiots had done such a piss-poor job that someone with zero network programming experience (and not much more programming experience period) had gotten the keys to the kingdom. No man in the middle required- the server was happy to give you the user's password. I googled a C sockets tutorial and by the end of the day had a little command line program that would output the password for any user you wanted. On login the client was sending the server a username, the server was responding back with that user's password, and the client was doing the validation. But the password was definitely being sent over the wire- by the motherfucking server. When logging in the client never sent the password to the server, only the username. It's not as if this was the only thing that would cause us to fail a HIPAA compliance audit.Ī closer look at the login handshake would reveal to me a level of incompetence I wouldn't have believed was possible. So, pretty bad, but not all that surprising. Username, password, patient medical and billing information, everything. Of course all the traffic was plain text. One day I had some time so I decided to fire up a packet sniffer and see what was going over the wire when you logged in and did stuff. The client UI consisted of hundreds of modal dialog boxes using it you could tell it just had to be horribly broken. I had always suspected it was horribly insecure. The CRM/patient management software they used was a giant VB turd. In the early 2000s I was a low-level sysadmin for a healthcare supply company. You couldn't write code this bad if you tried. Thanks for flying air /r/netsec || CISO AMA w/ Michael Coates & Rich Mason.r/vrd - Vulnerability Research and Development r/rootkit - Software and hardware rootkits r/REMath - Math behind reverse engineering r/netsecstudents - netsec for noobs students r/Malware - Malware reports and information r/crypto - Cryptography news and discussion We're also on: Twitter, Facebook, & Google + Related Reddits » Our fulltext list of prohibited topics & sources Social
No populist news articles (CNN, BBC, FOX, etc.) » Our fulltext discussion guidelines Prohibited Topics & Sources » Our fulltext content guidelines Discussion Guidelinesĭon't complain about content being a PDF.įollow all reddit rules and obey reddiquette. Hiring posts must go in the Hiring Threads. Non-technical posts are subject to moderation.
r/netsec only accepts quality technical posts. "Give me root, it's a trust exercise." Featured Posts A community for technical news and discussion of information security and closely related topics.
0 kommentar(er)
