Thursday, January 7, 2010

Vendor Hacking. Your reviewer browses a Delphi vendor's internal site.

Those who use Delphi have no knowledge of security, or maybe, very lax sense of security.

That vendor has site http://(something) hosted on his private LAN in some USA city, and "forgot" to secure directory, and unfortunately, left his customer's database all open, along with version control (SVN - with files not encrypted), and other things.

Onwards with this review.
Remember some time ago I wrote about vendor fail? Your reviewer "reviews" this website. First of all, remember to password-protect your site, or turn of directory browsing, and maybe block bots, like Yahoo Search bot, or Google bot, so at least those things don't flow into Google and Yahoo's search index.

Your reviewer looked at the private forums. You see, the public forum has "hidden forums" where the developers post messages to themselves. Funny how those Indian developers would post desperate messages about deadlines not met, or about delays in receiving money. Then, how the owners (of that company) would rant, hurl insults at those Indian developers who were developing the software (built with Delphi) and how the Indian developers would fight back saying this and that was not possible, and end result was big messy code.

Your reviewer looked at the forum's Bio pages and saw links to the developer's hotmail addresses, and yahoo addresses. I know them, they also post publicly on the former Borland newsgroups, and in unfortunate way, traded insults with unhappy customers.

There were also requests to hurry up the projects, but somehow, either those Delphi developers made big mess, or screwed-up big time. Your reviewer downloaded some EXEs and some ZIP files form that site, (to compile, you had to use that vendor's VCL libraries) and found it funny.

That server had other directories, which housed other projects, like that website for some company in USA which was being developed. Or maybe it was just half dead sites, or maybe half-broken sites, since those sites were time-stamped 2 years ago and maybe customer didn't pay up, because it looked ugly (just DelphiHater's thoughts).

That server had some Firebird database, but atlas, without proper directory security and an FDB file to download, you could get their supposedly customer-list. If there was anything more stupid, it would be to place an open FDB directory. This was a security breach waiting to happen.

Black lists
Your reviewer was going through the customer list, around 8,000 companies around the world... and 792 black listed customer (make it 800 by the time this review is published). Black listed customers were customers who refunded, brought with stolen credit cards, or false credentials.

Most of concern, were customers from Russia, Middle East countries. Funny how Delphi Developers XXXX from those countries would have so many fraud entries on that customer list.

That customer list contained interesting customers, such as "Zorro" (e.g., Software by Zorro), hackers who brought their software and released it, such as 3SCrack (even funny to know that person's name), names from "nemesis.ru" (funny), dumpz.ru

That customer list included house addresses of famous known companies, such as RemObjects, Torry's, Components4Developers to name a few, and of course, those companies logos listed on their websites.

Not Safe for Work
Your reviewer browsing that site, was also surprised by the massive pictures directory on that site. Maybe it was for private viewing, or maybe the owners had private collection of X-rated pictures. Your reviewer was surprised by supposedly gay and she-male Delphi developers. Maybe the owner there had "taste" for maybe gay Delphi developers ;) ...

Even more funny were those pictures with filenames that matches names on the former Borland newsgroups. Of course, wanna share a picture? :) Maybe that vendor collected too many pictures of the female (and gay) population of the Delphi community, or maybe looking for Pen-Pals.

No comments: