Agreed.. boss sounds like an idiot.
1) Cover up the traditional security holes -- FTP, telnet.. Make sure that
only specific accounts, if any, have access to your CF directory.
2) Make sure that all IIS hotfixes and NT service packs are installed.
3) Like that other guy said -- chances are he's going to try and exploit his
relationship to your boss' daughter to get at a password. Perhaps he has
access to your boss' machine at home.
4) Set up some anti-hacker counter measures within CF. Track bad logon
attempts for a particular account -- when consecutive password failures
reach a certain point, lock the account. You can also track based on the
CGI.REMOTE_ADDR header. Consecutive failed logons from a single IP .. block
it for x minutes.
5) You got a firewall? Use it.
6) Any of your users who use stupid passwords (like their name, "password",
etc) are definitely a risk. If your passwords are stored in a database, do
a "select count(*),password from users group by password" (modify as needed)
to see if there are some particuarly generic passwords everyone is using.
Security is security. The openings hackers typically exploit are 99% of the
time general failures in your security infrastructure.
This guy sounds like a retard, though. If I were you, I'd have fun toying
with his tiny brain. You can do a reverse lookup on his IP address and
alert him "The FBI has been notified of unauthorized entry attempts
originating from PPP30150.01.ix.netcom.com" or other such silly messages
that might make a newbie get a little sweaty. :-)
> -----Original Message-----
> From: Duane Boudreau [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 04, 2000 1:07 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Security holes revisited -- reward offered
>
>
> Nick,
>
> If your boss was willing to do this, I'd seriously consider quitting if I
> were you. There are tones of jobs out there.
>
> Duane
>
>
> -----Original Message-----
> From: Nick Call [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 04, 2000 11:44 AM
> To: [EMAIL PROTECTED]
> Subject: Security holes revisited -- reward offered
>
>
> Ok, fellow Listees, here's the deal...
>
> My boss's daughter has a boyfriend.. (can you smell the trouble
> already???). He is bent out of shape over the fact that I did
> not recommend
> that we hire him (I interviewed him and gave his skill sets an honest,
> thorough exam). He is good at A/V stuff, but his web experience/database
> experience is null. Anyway, back to the situation...... He has convinced
> the boss to pay him 2 grand to attempt to hack the system I built. He
> claims to be a super hacker, blah, blah, blah. I am not too
> confident that
> he can do it, but there is a small chance....
>
> Multiple minds are better than one. I have gone over and over
> all the stuff
> I know, but I am more than likely missing some stuff. Anyone
> care to share
> their CF/NT/IIS security checklist or other advice?
>
> It's escalated into all-out war. He is going to stop at nothing
> to make me
> look bad, and I will stop at nothing to prevent him from succeeding.
>
> Thanks in advance. I will custom print 5 free T-shirts with your logo (in
> one color) on them if you give me advice that plugs up a hole
> that I didn't
> know about.
>
>
> Thanks in advance.
> Nick Call
> [EMAIL PROTECTED]
> http://www.graphixonline.com
>
>
> ------------------------------------------------------------------
> ----------
> --
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
>
> ------------------------------------------------------------------
> ------------
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf
_talk or send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
