Since we've had a bunch of new infosec people join recently, I would like to revive our fun #infosecfail posts.
Share cringe-worthy infosec incidents from your personal experience using the above tag. No need to reply to this thread; just tag them. Bonus points if you were responsible for said fail.
Hit the tag for past examples.
A decade ago, I supported a client/server app that used 3 TCP ports. Had a client who refused to use default ports for anything “for security”. Regularly called in with network/connectivity problems. Would also refuse to acknowledge exactly how his was set up. Finally got him to send in a config file.
(1/2)
@ehurtley
Those are the same ports I use on my luggage!
@voltronic The other good incident was overhearing two coworkers discuss a case.
Cow-orker 1: <discussing all the extreme security precautions of the client, can’t send logs, difficulty getting info>
Cow-orker 2: “Who do they think they are, the <three letter agency>”
C1:”Actually, yeah, that’s exactly who it is:”
C2: “Oh… Okay then.”
@voltronic (2/2)
“This is obfuscated, right? You’re not actually using TCP ports 1, 2, and 3, right?”
“Oh! Shoot! I meant to obfuscate! <sigh> Yes, we are using 1, 2, 3.”
“…” <facepalm>
“I… Don’t use those. Pick different ports.”
“Okay, how about if I just add five-zero to the beginning of your default ports?”
“…” <triple facepalm> (All our ports were 4 digits.)
“That…. Just… No.”
This was head of infosec at MAJOR IT shop. I haven’t bought from them since.
#CoSoSec #InfoSec