An interview of NeonSurge, from the security team (dead link) Rhino9
just to let you know: I choosed not to put a tittle to the Interview.
<Kitetoa> - First, let's try to understand what we're gonna talk about. You've connected trough Telnet to servers on the internal network of one of the largest software company in the World. Is that right?
<NeonSurge> Yes. It was a joint project by Rhino9. I didnt do it alone
<Kitetoa> - Apart from "pure talent", is that made possible by a bug of the servers or is it a hole in the network security policy?
<NeonSurge> It was the Administrators lazy policy that let us Into their network
<Kitetoa> could you elaborate on the kind of servers because it seems difficult to "enter" a company 's network, because of the firewall, proxys etc.
<NeonSurge> Now... alot of intruders
would still not be able to get in, they just dont think the way they should.
<Kitetoa> what does Absolut FTP stands for (normally)
<NeonSurge> AbsoluteFTP appears
becuase AbsoluteFTP is a shareware FTP program.. like CuteFTP
<Kitetoa> Did you tell that company's people that you discovered that hole?
<NeonSurge> Yes we did...
<Kitetoa> What did they say and/or do?
<NeonSurge> We actually have a good
working relationship with this company....
<NeonSurge> Whenever we find a
problem in their products, we let them know before we make any public notices...
I understand that
<Kitetoa> How big a problem is it for that company to have a open gate like your's? I mean, can you go further on their network from the servers you own?
<NeonSurge> The weakness we found
allowed us to install a packet sniffer and collect over 70 usernames and passwords in 2
<Kitetoa> You say "We could have gone almost anywhere in their network". But i guess that this large company dosen't link the Internet part of its network to sensible data like the servers where you can see theire sales and payrolls and stuff...?
<NeonSurge> Actually... The server we
got into was attached to the Internet...
<Kitetoa> you mean this is possible?
<Kitetoa> it's hard to belive
<NeonSurge> It all depends on the
final configuration of the network
<Kitetoa> yes i know, but i mean, they must have plenty of firewalls, proxys,and all that stuff, don't they? or, better, have the sensitive data totally phisically disconnected from any internet link?
<NeonSurge> Well.... their firewalls
are configured to allow certain connections...
<Kitetoa> did they ask for an intrusion test?
<NeonSurge> They have other companies
do security work as well, but they obviously didnt find as much as we did.
<Kitetoa> i understand
<NeonSurge> Thats one thing that BIG companies do not do.... and hackers often break into networks that have been 'secured' by these companies becuase they dont give their people a chance to stay on top of things.
<Kitetoa> Do you think that french companies are at risk? I mean if one of the largest company is at risk, many french ones may be...
<NeonSurge> French networks???
<Kitetoa> OK, just to be a little more precise, when you say "I took me 3 hours to own Epita..." what does "own" mean exactly?
<NeonSurge> I was in there network
<Kitetoa> People in the press web sites should consider security as a big issue as banks do. Theire data is as sensitive as banks ones, if someone can modify them
<NeonSurge> People in the press approach security as a 'news item' they dont approach it seriously
<Kitetoa> but this is the heart of that infowar stuff everybody's talking about
InfoWar exists in the US at a very minimal level. By minimal level, I mean that the threat
is there, but our response/protection to it is minimal.
<Kitetoa> do you belive L0pht when they say that they could bring the Net down?
<Kitetoa> Do you need a lot of computer power to do so?
<NeonSurge> Its actually not very
hard to do... which is the sad thing...
<Kitetoa> anyway, i still think that it's more interesting to break in the NYT and change some dada so that noone would think they have been changed than taking the net down
<NeonSurge> Breaking into NYT is
nothing compared to the things that would bring down the Net...
<NeonSurge> Not to mention the DOD
and GOV comps that still hold connections to the Net
Malade mental, bis repetita
Jean-Paul Ney condamné
et sur le Net...