F*cking Security
How to f*ck security-concepts… Well, the company I currently work for, needs to exchange medical data with laboratories and doctors around the country through some sort of secure channel. The process is basically as simple as fetching a number of files and importing them into the respective software at our client’s lab, sometimes even upload their results, so that we can re-import. Before I appeared on the stage, my company paid an external IT-Consultant “Intelligence for New Technologies” (sic) to implement a secure and robust solution. Here’s how they did it / How to effectively dismantle any kind of security for your client:1. Setup an unrestricted VPN Tunnel into your client’s Network2. Write a script on the other end that dials the VPN and exchanges Data via SambaSo far so good. Except for the thing using Artillery to hunt mice.3. Use the Domain-Admin-Password to connect and save it in plaintextCongratulations, you have effectively circumvented lines of defense, in case someone reads the script and at least issued (passive) administrative powers to third parties.
