Ok, hi guys, first story posting here. This one isn't technically a customer, more of a contractor, but definitely tech related...
I work for (Almost-Ivy-League-College (AILC from here on)). More specifically, I work for one department, as the "tech guy". This means I do everything from write the software to connect our website to our e-commerce provider to changing the toner in my Overboss's printer (Overboss = Boss's Boss). Needless to say, I'm also the only one in the building who has any concept of technology.
Anyways, we're paying a company to do upgrades to our website, mostly because there's only one me, and I'm currently working on afore-mentioned e-commerce stuff.
We give him access to the server, and in an attempt to keep it as secure as possible (I also double as sysadmin) I ask them to send us an ssh key, so that I don't have to give him a password, and can track their computers if necessary.
In response, I get sent 6 files. 3 public keys, and 3 private keys. For those of you who don't know, private keys are named such because they're never meant to leave the computer that they're created on. They're private.
We get that sorted out, and after some problems with my boss not knowing what a ` (backtick/grave) character is, we get the contractor access to the server. Mind you, this is the production server. We have testing servers, and I'm sure they do as well. We gave them access so that they could pull what data they needed without having to take a 2GB file over a slow network. Most of the production code is small, but we're hosting a lot of photos (comes with the sector).
I come in the next morning to notice that one set of our logs had been deleted. Not maliciously, but probably in "clean-up". Ok, first of all, I'm a web developer by trade as well, and I'd never mess with a production site. Never ever ever. All things are done on a test site, and then when everything checks out, pushed at once up to the production site.
Anyways, I immediately go into search-and-destroy mode. And, lo and behold, the developer has uploaded several things directly into the webroot of the server. A script designed to create an archive of the necessary files, a script to unzip another archive containing who knows what, and a copy of phpmyadmin. We gave the developer ssh access for a reason. When creating an archive, you create it outside the webroot, over ssh, probably using tar -czvf. When unzipping an archive, you do the same. And had the developer asked, we already had a copy of phpmyadmin running securely on another port.
Worse yet, I find a database dump sitting in the webroot. A complete dump. Containing all of our users password hashes. Among other things of course.
I shut the developer's access down faster than you can blink. That's too far. I cleaned up after him, and put in a call to the company, asking for a conference with him. That was yesterday. Haven't heard from them yet. I'll keep you updated.
PS. Sorry for the long post, but I had to rant. I understand not being paranoid about security, I'm the one being paid for that, but to not even think about it? I'm just glad this developer isn't touching our e-commerce code. I don't even want to think about the potential security issues there.
I work for (Almost-Ivy-League-College (AILC from here on)). More specifically, I work for one department, as the "tech guy". This means I do everything from write the software to connect our website to our e-commerce provider to changing the toner in my Overboss's printer (Overboss = Boss's Boss). Needless to say, I'm also the only one in the building who has any concept of technology.
Anyways, we're paying a company to do upgrades to our website, mostly because there's only one me, and I'm currently working on afore-mentioned e-commerce stuff.
We give him access to the server, and in an attempt to keep it as secure as possible (I also double as sysadmin) I ask them to send us an ssh key, so that I don't have to give him a password, and can track their computers if necessary.
In response, I get sent 6 files. 3 public keys, and 3 private keys. For those of you who don't know, private keys are named such because they're never meant to leave the computer that they're created on. They're private.
We get that sorted out, and after some problems with my boss not knowing what a ` (backtick/grave) character is, we get the contractor access to the server. Mind you, this is the production server. We have testing servers, and I'm sure they do as well. We gave them access so that they could pull what data they needed without having to take a 2GB file over a slow network. Most of the production code is small, but we're hosting a lot of photos (comes with the sector).
I come in the next morning to notice that one set of our logs had been deleted. Not maliciously, but probably in "clean-up". Ok, first of all, I'm a web developer by trade as well, and I'd never mess with a production site. Never ever ever. All things are done on a test site, and then when everything checks out, pushed at once up to the production site.
Anyways, I immediately go into search-and-destroy mode. And, lo and behold, the developer has uploaded several things directly into the webroot of the server. A script designed to create an archive of the necessary files, a script to unzip another archive containing who knows what, and a copy of phpmyadmin. We gave the developer ssh access for a reason. When creating an archive, you create it outside the webroot, over ssh, probably using tar -czvf. When unzipping an archive, you do the same. And had the developer asked, we already had a copy of phpmyadmin running securely on another port.
Worse yet, I find a database dump sitting in the webroot. A complete dump. Containing all of our users password hashes. Among other things of course.
I shut the developer's access down faster than you can blink. That's too far. I cleaned up after him, and put in a call to the company, asking for a conference with him. That was yesterday. Haven't heard from them yet. I'll keep you updated.
PS. Sorry for the long post, but I had to rant. I understand not being paranoid about security, I'm the one being paid for that, but to not even think about it? I'm just glad this developer isn't touching our e-commerce code. I don't even want to think about the potential security issues there.
Comment