I am totally appalled by the knowledge of IT security in Malaysia, the country where yours truly hail from. Some people just have some of the most ridiculous perception of security and hacking you could imagine. And I am talking about people who are actually in IT industry or related industry. They range from CEOs to system developers to typical users. Below are some of the example of real life cases about misconception of security that I have experienced. There are more actually but some I have already forgotten. Bear in mind, names has been changed in order to protect the anonymity of that security idiot and so that I do not get sued.
This case involve one of the client’s server that I am managing. We are charged to maintain the server to make sure it is running fine and that websites hosted in this server run properly. This is a big company that can certain afford to pay for 1 server to host 1 website. A website that is not that busy. This is good way to maintain total control and P&C related material of the company. When I took over to manage this server, I found out they actually paid a pentesting company to do some pentest on the server every half yearly. I wasn’t told about this when I took over the server so I did not update any packages in this Linux server. Naturally, my style of “if it ain’t broken, don’t fix it” has been one of the motto I practice for many years which so far proved to be an invaluable thing.
Imagine, one day, suddenly I receive an email from this client screaming about why their server has so many vulnerabilities. How can we let hackers a free pass into their server. Well they did not specifically said that but from their tone it certainly sound like that. There are actually about 5 vulnerabilities and some are even irrelevant. Such as usage of mod_proxy which is a module in Apache that is enable but was not actually used in the website. Naturally, a few are harder to tackle such as updating the software packages like Apache and PHP to a very latest version. Any linux system administrators would know that to update a package to the latest and most edge version you need to compile the package manually. Any linux administrators would know compiling such packages would be a PITA and it will certainly break the package updater that comes with the OS such at apt-get (ubuntu/debian), yum (redhat/fedora/centos) or yast (opensuse). So went to talk to client about this. Even spoke to the pentester. Client wanted industry PCI compliance. So no choice but to upgrade. I then manage to locate compiled package without needing to compile. Upgrade relevant packages and few days later, pentester said now this version have vulnerability. Have to upgrade again. Did some talk with client but their CEO wanted to be PCI compliance. I then argued that there is no point in having that server PCI compliant because it does not doe e-commerce and does not store any P&C related materials. Worst case scenario is hacker deface the website. There are no information for them to steal. Eventually client agreed that this server does not need PCI compliance. Whew…luckily client understands. Cause I did pull in a few more big words site down, compatibility issues and so on.
The thing to be learn in this lesson is that clients always wanted some security thingie without knowing the reason. A lot of the pentester results are also very insignificant but they took it so seriously without knowing why.
Not too long ago a big company got hacked. A few of their website in some country got hacked along with their biggest online portal. Needless to say, they are ashamed of this and started to panic. They then implemented some of the most ridiculous things one could imagine. Luckily we are not really affected because we completed some of our projects with them. There are few more remaining project that is still on-going.
Before this hacking problem occured, I already have some problem with them. Their website domain is controlled by someone in neighboring country. Supposedly a country with lots of talents. However, this person do not even know how to handle proper creation of subdomain and A records. As we deal with their counterparts in local office, even the people in Malaysia are unable to handle this and they are unwilling to be responsible for it. It’s just a freaking subdomain creation with A records pointing. So I know these people are pretty much useless. A multi-national company WORLDWIDE with these people in their IT department. All this while they rely heavily on vendors to support them and to blame whenever problem happens.
Then this hacking issue happened. They had to implement lots of security policies which they have been slacking all this while. They started doing some pentest on some of the sites hosted in our server. These sites are temporary projects which is running their campaign. Again, ended up with some ridiculous vulnerability such as not turning off php’s default “about” page. Quickly they started pointing fingers. Like asking us, why we let hackers walk freely in our servers and specifically their website. It’s almost like they want to sue us for having servers vulnerabilities. They actually assumed all servers run by big corporations are strictly 100% hack proof. But the did not realize we are in the part of the world that is called South East Asia.
Later for the past few weeks, slowly they take back all the project and websites and host them in their own server. However, they requested some of the most useless things but I forgot what they are. Some sort of requests that some inefficient “expert” would ask.
Just recently we have this project on programming a web portal with e-commerce using IIS and PHP. This company got the project and sub it out to us. The reason is because they do not know PHP and only knows .NET. So we created the staging server and create the prototype site and so on. It reaches the stage where the codes need to be install in their server. Tey wanted us to go install PHP for them. Wanted to ask also about some security issue. As a veteran system administrator (that is still learning), naturally I requested for remote desktop in the system to install the PHP. They replied us wanting us to instead go there to install. Reason is because fear of security issue. I am like WTF, everyone is using some sort of remote desktop to manage remote servers and they have no problems. They think hackers are at their server door step waiting them to open a port. Once they open and it’s yeah..free server to hack…yeah. Stupid. Then I said they can set it such that the server only allow our IP address which will solve any security issue. Upon replying this, I already have a feeling they do not know how to do this and will reply with some other excuse. To my expectation they replied saying still want to meet up and discuss about this and wanted to do some “risk analysis”. I really am speechless and can’t say much as they are our client.
As usual, main contractors in Malaysia are people who only talk and have contacts. When it comes to real work, these people are useless. Sadly in this part of the world talent alone will not make you successful.