Went to Paul Mooney/Bluewave's Domino Ethical Hacking workshop last week, and I'm rather glad I did. Tom Duff's comment on Paul's post is pretty much on the money, very scary stuff indeed, and really made you think. Paul showed and discussed a whole range of tools and techniques that are used by the bad guys out there, and each time then brought the discussion back to what you need to do in your corporate and Domino environment to be able to guard against them. Not all the solutions, by any means, are in Domino. Some are plain and ordinary good practice. Some are education. Some are firewall and network configurations, and then there are things you can and should do in Domino - and hopefully you've already done the important ones in your own environment.
But seeing and discussing the techniques and tools Paul mentioned should make you more wary of your own internet usage, too. One hacking technique in use involves capturing logon information and stealing the web session - web sites that use SSL for logon only and then revert back to HTTP for the rest of the session are vulnerable to this technique, and there are other things that this session will make you more aware of, too.
If you get the chance, and you have an interest in keeping your Domino servers secure on the web, go along to Paul's session. And be ready to be scared.
Mick Moignard May 29th, 2012 07:51:17 AM
I would even go as far as saying that you cannot trust some SSL sites... depending on where you connect from.
Paul is an Admin, and knows his Admin stuff very well. But even so a Developer can expose data by badly writing applications. I'd really like to see more on the Dev side of things. It's scary what can be exposed even on a locked down server.... or by utilising Domino to hack itself.
So, Dragon. Suggest you contact Paul, and offer either to help add that content to, or even co-host, the workshop, to cover that? I'm sure you know Paul's views on developers, so that should be rather interesting.
Ha. I think Paul's attitude to us Devs roughly corresponds to my views on Admins. No, I don't "think" I "know". Here's the proof. { Link }
Thanks for the feedback Mick. Always a pleasure to meet up.
@Dragon - I may be working on something along those lines. Depending on demand of course. An obviously I will be working with devs. No point in me advising on code! But as said to me by a dev, the plugs on the admin side need to be fixed well in advance.
You do realise the youtube video was a joke right? ;) I have mountains of respect for the brilliant developers I deal with in Bluewave and then the likes of Matt White, Kerr Rainey, Tom Duff, Bill Buchan, Tim Davis, the guys at LDC and so many more. Some of them were good enough to review the admin session and thinks that even Devs should go on it (something I took as an extreme compliment).
Two folks at the workshop were devs! Shocking.
Of course I realise it's a joke. But I still want to take a clue stick to "users" as well. Guess we're all in the same boat there. :)
Thanks so much for this post. There is very good and helpful information in this post. Keep up the good work.
Regards:
<a href= { Link } title=" Ethical Hacking "> Ethical Hacking </a>