Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I thought it was pretty clear. They had already developed a Sonic Wall VPN exploit. They used zmap to scan for vulnerable devices then grepped the hostnames for "bank". When they exploited the VPN it gave them the whole network.

>In this case, on the other hand, it was the same Windows domain passwords that were used to authenticate against the VPN, so I could get a good user password, including that of the domain admin. Now I had full access to his network



To me, the scary part about this is: After Equifax, this is another big hack... and practically, it's one layer of defense and that's it. Shellshock, one password, everything's fucked. And yes, expletives are appropriate there. The rest is largely access maintenance, keyloggers and execution.

That's scary. Maybe I'll need to badger my boss about a serious pentest of everything.


Dude, forget a pentest, have a security architect look things over. Simple segmentation and endpoint firewall witha good edr might have stopped this. Everyone misses the basics, a lot of networks were pieced together 10+ years ago when people were not as security conscious as they are now.


Our first pen test, before I took over as CTO... We had a JSON file with admin credentials on a shared drive. IT company needed it there so some tool could log in as admin and do some robot work.

Fired them, and good riddance. But... STUPID SIMPLE things can get overlooked for years until you have someone else come in and test.

+1 for pentests.


For sure, I wasn't disagreeing. I meant have someone look at your architecture and make sure best practices are followed and insane designs don't exist before you pay for a pentester . pentest results can be used to adjust architecture but a pentester will show you one or a few ways they acheived the objective, they won't do a hollistic review of architecture,procedures,practices,etc...


So after firing the vendor, who on your side got fired for allowing it in the first place?


Why would anyone get fired, explicit approval and imppicit incompetence should be handled differently. If pentests get people fired, no one wants a pentest. Refusing to accept and resolve pentest results can be fireable but a pentest is suppose to help you improve what you have already.


Like many orgs that don't know any better, our CFO thought because he was good at excel that he was qualified to direct IT.

That is no longer the case. To answer your question though, you know how hard it is to fire a CFO? Let me know if you have any tips.


The way you phrase the question is odd/misleading.

GP wrote that he replaced the previous CTO.

Before firing the vendor, the responsible party on their side had already left the role.


As I understand it this hack took place in 2016, they are just claiming it now. That's why they mention powershell being more useful.


Pentesters don't drop 0-days though, but yes, it shouldn't be one layer of security to bypass.


Depends who you hire and how much you pay them :).


Crunchy on the outside, chewy on the inside.


You're right, I tried to skip the rest and find the technical part but missed it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: