I work in IT for an international Fortune 500 company. Our passwords for users and admin are ridiculously simple. *0% of user passwords are either their name, their kid's names or the company name with two digits. I cracked a random sample of passwords (*00) in just under * hours. *8% percent of those cracks were done using a dictionary attack. Remember this is a HUGE company.

Can someone tell me or estimate the odds that an outsider would try to hack us? I know a difficult question to answer, but as a newbie I'm relying on your experience and knowledge. My IT job kinda sucks and I would like to put a proposal together to improve corp security and create a new job for myself.

Our company has firewalls, a DMZ and passwords for everything. However we have no dedicated pen test staff, no pass auditing and I really doubt anyone checks the logs....

I would especially like to hear from you Mike*0* on this matter....thanks guys.

why would someone want to hack you?

I would imagine someone would want access either for monetary reasons, industrial espionage, the hell of it, a disgruntled ex-employee who got caught with porn on the company issued laptop etc....how can I gauge what the odds are- can this be gauged?

XD
Lol, that was the funniest subject line.
Haha, I bet if a bunch of us put our knowledge together we could own you.

Wishful thinking-
Toast

Well the odds that someone will try to hack you are *00% - people constantly port scan IP ranges for interesting ports, and as soon as you plug in the cable to your external router, it gets port scanned fairly regularly. Your security can be compromised within hours if your software is not up to date.

So the first place to strengthen is the initial point of communication between the internet and your internal network - this would be a standard router in home connections, but I don't know what setup you've got at a large company. A good way to strengthen the router itself is to reject ping requests from the internet - that way you at least don't get discovered by some port scans. You have to make sure that the only ports you allow incoming connections on are strictly needed; as any port you accept connections on shows up in the port scanner's logs, and presents a security risk.

If there are servers you need to be accessible to the internet and you forward ports to them (such as a mail server -> port 25), you need to have a strict updating schedule for the software. If you have software that is *-2 years old, the attacker has a whole catalog of exploits he can use to own your box, but if you update regularly, you stay ahead of all but 0-day exploits.

One thing neglected by security staff are internal proxies. A lot of private networks use an internal proxy between their users and the internet, so content can be filtered and slacking is prevented. But what they fail to realize is just as the proxy allows the users to connect out to the internet, it also allows remote attackers to use it to browse the company's intranet, exposing internal servers and all the networked users. It basically opens up their network to anyone capable of entering the company's IP address and proxy port into their browser.

Another threat is internal users. It's all very well locking down your defences, but the people already inside them can do some damage. It's trivial to get admin on Windows machines, then dump and crack the admin hash (you now have the admin password for the whole network), install a bot to drain your resources on a DDoS attack, install a reverse-connecting trojan to connect unsuspiciously on port 80 and open up your network - the list goes on.

Yet another threat are email systems. Employees are usually dumb enough to believe social engineering, couple that with an email spoofed from admin@yourdomain.com and they can be convinced to to pretty much anything.

So basically, every network in this day and age is vulnerable to someone willing to try hard enough. What you need to do is look at what you actually have that would be of interest to a cracker, and lock down the entry points to whatever that may be - from both inside and outside threats. Not many people will attempt to hack you unless you advertise blatantly that you have valuable data.


I challenge you to open this up to all the members of this forum - give us details about your company and we'll assess it.

oracle,i will have to agree with mike *00% on this matter.Even by random you will get hack sooner or later.I personally think that internal proxys will be a good way to find the way in.It will only take little time for fancy programs to find a weakness on the server.Try to do it yourself with the latest edition of accessdiver.Also there are programs now that not only can find the exploit,but work with the cgi and exploits to get in.
Just think for a moment,bigger and more important servers had been hacked,i'm sure any script kiddie with the right tools will be more than gladd to help you out..lol.
Nozf*r4tu
http://www.amishrakefight.org/gfy

I'm very leary about giving out too much company info for obvious reasons. I like working there. However, in the interest of trying to improve my job and help these poor suckers...I'll try to strike a balance. First no company name: If you figure it out I'm impressed. Secondly I won't intentionally give out any info that could be damaging. It's not that I don't trust the community, but the first thing I learned is not to trust anyone. I think we can all agree on that one.

X Corp is running IIS version 6
I believe * domain servers
We use Win Server 200*
SQL Server 2000
IBM AS/400 Mainframes
Lotus Notes mail
Workstations run XP Professional
LanMan hashes are not disabled
Null sessions are not disabled
6 DMOZ's
Un******* and open wireless network at corporate
AT&T Dialer is used
I assume Apache?
No Unix or Linux
Onsite and offsite servers
Passwords must be changed every *0 days min length 7 char
All workstations either IBM or HP
IBM and Dell servers...

http (80/tcp)


It seems that it's possible to disclose fragments
of source code of your web applications which
should otherwise be inaccessible. This is done by
appending +.htr to a request for a known .asp (or
.asa, .ini, etc) file.

The remote web server itself is prone to cross-site scripting attacks.

Let's start with this infor for now....

I'm very leary about giving out too much company info for obvious reasons. I like working there. However, in the interest of trying to improve my job and help these poor suckers...I'll try to strike a balance. First no company name: If you figure it out I'm impressed. Secondly I won't intentionally give out any info that could be damaging. It's not that I don't trust the community, but the first thing I learned is not to trust anyone. I think we can all agree on that one.

X Corp is running IIS version 6
I believe * domain servers
We use Win Server 200*
SQL Server 2000
IBM AS/400 Mainframes
Lotus Notes mail
Workstations run XP Professional
LanMan hashes are not disabled
Null sessions are not disabled
6 DMOZ's
Un******* and open wireless network at corporate
AT&T Dialer is used
I assume Apache?
No Unix or Linux
Onsite and offsite servers
Passwords must be changed every *0 days min length 7 char
All workstations either IBM or HP
IBM and Dell servers...

http (80/tcp)


It seems that it's possible to disclose fragments
of source code of your web applications which
should otherwise be inaccessible. This is done by
appending +.htr to a request for a known .asp (or
.asa, .ini, etc) file.

The remote web server itself is prone to cross-site scripting attacks.

Let's start with this infor for now....

We can't really do much unless we can take a look at your server...

How about if you post the domain name/IP address here in an encrypted string so nobody can find your post through google? Or pm it to the active posters in this thread.

Mike*0* I take your challenge....I'll give you the info if I get to learn from the experience. I believe you are looking for this:bf2e2**e8*65*6ac6f*6be8ec2bc2af*

Well based on an HTS (Hack this Site) challange and the fact you have Apache, I'm wondering whether your using SSI or not. You could be vulnerable to an SSI injection.

Yes our company has SSL 2.0 and a Tenable Nessus scan shows that it is vulnerable to man in the middle attacks....

Not SSL (******* Sockets Layer), SSI (Server Side Includes).
Here is a link to a page all about it:

http://httpd.apache.org/docs/*.*/howto/ssi.html

If you are vulnerable, people can execute commands (DOS commands, since you are using Windows) and can do anything from search directories to formatting.