I was trying to ssh to a client’s server and was unable. I decided to try the IP address I was given in a web browser and was surprised to find myself staring at the configuration page for a TV station’s DTV Decoder/Receiver. These days, I try to stay out of computers I’m not supposed to have access to, but I just has to poke around a little.

The first thing I did was look around the surrounding IP addresses to find out what else was lying around, unguarded. I don’t want anyone getting tempted, so I’m only giving you the tail end of each IP. Below is a list of what I found with just a little snooping:

.3 APC Management console
.4 APC Management console secured by htaccess (“Switched Rack PDU”)
.9 DTV-150E
.10 DTV-150E
.11 DTV-150E
.12 DTV-150E
.13 DTV-150E
.14 DTV-150E
.15 DTV-150E
.20 NetVX Control Interface (htaccess)
.23 Unknown and protected by htaccess

As you can see, we’ve got a number of video decoders, a NetVX (which looks like a lot of fun if I could get into it), a couple APC Management Consoles, and something hidden properly behind htaccess. One of the APC consoles was busy, but when I returned later, I was able to confirm that they were both protected properly by htaccess. It’s just too bad they don’t have everything protected.

There’s a few ways to protect stuff on the web that is only meant for certain eyes. One of the most popular is with a .htaccess file. Essentially, you just throw this file in the directory you would like to protect, put a few lines in the file, and create a password file. Another, more involved, method is to allow only certain IP addresses to access port 80 (the traditional web port). Sometimes, people even skate by, utilizing “security by obscurity”, or just hiding their information in a directory and hoping nobody finds it. None of these methods were used here. Perhaps these are just test hardware, but if they’re not, they are wide open for anyone with a malicious streak.

If you put anything sensitive online, protect it with some form of secure access method. When you do, make sure you use a secure password. Never access anything sensitive from a public computer or on a public network. Above all, don’t leave an array of servers wide open.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.