Scripted shortcut caused double-click #disaster of #sysadmin's own making

source: https://www.theregister.com/2023/10/09/who_me/

Rather than right-clicking on the script and selecting "Edit" to make his small change, Ricardo had instead executed the script. On his production machine. The machine that stored all of his carefully constructed scripting – not to mention absolutely everything else he needed to do his job.

And of course there was no "Are you sure Y/N?" to save Ricardo's skin, was there? With a fraction of a second, the script merrily started eating away the hard drive … and Ricardo's livelihood.

#software #script #fail #administrator #omg #wtf #configuration

#NSA and #CISA Red and Blue Teams Share Top Ten #Cybersecurity Misconfigurations

source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

1) Default configurations of software and applications
2) Improper separation of user/administrator privilege
3) Insufficient internal network monitoring
4) Lack of network segmentation
5) Poor patch management
6) Bypass of system access controls
7) Weak or misconfigured multifactor authentication (MFA) methods
8) Insufficient access control lists (ACLs) on network shares and services
9) Poor credential hygiene
10) Unrestricted code execution

#usa #internet #security #administrator #configuration #knowledge #knowhow #top10 #network #login

#Hacker gains #admin #control of #Sourcegraph and gives free access to the masses

source: https://arstechnica.com/security/2023/09/pii-leaked-after-sourcegraph-an-ai-driven-service-for-code-development-is-hacked/

The hacker gained administrative access by obtaining an authentication key a Sourcegraph developer accidentally included in a code published to a public Sourcegraph instance hosted on Sourcegraph.com. After creating a normal user Sourcegraph account, the hacker used the token to elevate the account privileges to those of an #administrator. The access token appeared in a pull request posted on July 14, the user account was created on August 28, and the elevation to admin occurred on August 30.

#hack #api #security #cybercrime #internet #news #software

Hacker gains admin control of Sourcegraph and gives free access to the masses

We've said it before; we'll say it again: Don't put credentials in publicly available code.