[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

Fri Jun 17 23:24:07 MDT 2011

On Fri Jun 17 21:24:54 MDT 2011 Daniel Rose wrote:
> On 16/06/11 22:48, Robert Edwards wrote:
>> Getting Way Off-Topic...
>>
>> On 16/06/11 21:47, Sam Couter wrote:
>>> Bob Edwards<bob at cs.anu.edu.au>  wrote:

<snipped>

>> Does anyone actually _know_ of any instances where someones bank account
>> was accessed without proper authorisation over the Internet and the
>> bank didn't work hard to fix the problem? Just curious.
> An engineering firm (mechanic) in Mitchell had 37 grand removed online
> and the guy was found charged but insufficient evidence was available.
> 
> The money was never recovered, but the firm was reimbursed after a long
> delay.  I don't know how hard the bank worked.
> 
> 

<snipped>

Interesting.
If that's the case I've heard of, it had nothing to do with web servers
and everything to do with letting all their IT decision be made by
someone hired to spend one day a week in the office adding up figures.
"Oh *cough* is good with computers". The same "MYOB operator" also gives
tax minimalisation advice which is wrong (and illegal), and provides the
same services for another two companies (that I know of, we initially
thought the person was connected with the thefts). Blaming the part-time
clerical doesn't cover the fact the business failed to hire someone with
the right skill sets.
I'm dubious about employers who confuse computer operators with
engineers and technicians. Not only would an SME IT consultant have cost
the same (quicker) - the software and hardware solutions would have been
cheaper, and there would have been no cleanup costs.
Hint: all equipment (Dell) and services (online backups and web hosting)
are bought through a hosting company, where that same person gets
affiliate bonuses (kickbacks), and in two cases companies with less than
a dozen staff where advised to spend several thousand dollars on Small
Business server and Outlook (on the same subnet) - same passwords used
for everything (dictionary word, lower case, followed by two numbers),
remote access to the network through a web interface on the office file
server to the office desktops.
Anyway -if we are talking of the same case - the problem is not hosting
a web site (they used a well known ACT hosting company) it's just a case
of poor decision making. That the person who was paid to setup the
office in an unprofessional manner has done the same thing with two
other businesses I know of, with similar results - is just testimony to
why not being open is a bad thing. (and yes, she is litigious).
Either do it yourself and take full responsibility for the outcomes or
hire someone with the appropriate skills - so and so's child who's "good
with computers" is not a wise choice either, nor is random results from
a search engine a reputable guide for configuring remote access to MYOB
(the case in point).
Just because someone watches a lot medical dramas and docos - and works
in a hospital doesn't mean I'm going to let them operate on me.

Cheers