Hello world.
Sometimes I get sad when I realize/remember that we in Bermuda are a little behind the times technologically. A colleague mentioned today that he wondered if we (the western hemisphere culture) had not become complacent in our hunger for success. We agreed that this means we are probably losing our competitiveness as a culture.
My interests are in computers, and technology in general. Here are a few ways I have observed our culture being lazy and falling behind in the Information Technology field.
- Our major telecoms datacenter is an easy target for social engineering. This means that a bad person can easily bluff their way into our datacenter. Once inside, the escort generally leaves a visitor alone until they are finished. A bad person could probably disable Bermuda's telecoms by abusing this lack of security awareness. This would not be possible if we were not asleep with our heads up.......
- There are a large number of wireless networks around, and thankfully, most of them seem to be WPA or WPA2. This is encouraging. I will not speculate on the length of password used, but hopefully most people have the sense to choose a long password. Unfortunately, this means that those people with WEP or unsecured networks stand out as bigger targets, and there are still a number of them out there. Especially if your neighborhood is on WiGLE. There are about 2,300 wifi points on Bermuda's map now. Check it out and tell your friends. Bermuda needs more security awareness.
- At least one of our major ISPs operates an open email relay. You spammers out there will now get busy looking for it. For the rest of you, what this means is that sending a fake email, with a forged "from" field, is very easy. All you have to do is change your name and email address in your accounts setting of your email client. This is possible, because the outgoing mail server does not require authentication. This means you can tell the email server that you are somebody else, and it will beleive you, without checking. I have not named the major ISP, and I have not given detailed step by step technical information. But anybody who has a basic understanding of email client configuration should be able to verify this without much effort. A person of poor computer literacy should still be able to accomplish this if shown the steps once or twice. The problem is, this should not be possible. Our local ISPs have been negligent, allowing themselves to be used to spread spam, by anybody in the world. I guess it would be possible to discover and identify such a local spammer by IP address, but only if they were dumb enough to use a network they could be associated with (work or own home network).
- Our own government's home page also has problems in it. It's powered by some portal software written by a company that doesn't even exist anymore, BEA Systems, which was bought by Oracle ages ago. There were a number of directory traversal vulnerabilities in the version that powers http://gov.bm, which were again fixed ages ago. However, our government's web master hasn't applied these security updates yet. Unfortunately, they are running an even older version of Apache, which is not just a few updates old, but several major revisions out of date. Apparently, there was even a tip to the webmaster that has apparently gone ignored.
If you recall the issue with one of TCD's databases being readable and editable from the internet, published a few months ago, the same vulnerabilities still exist. This was announced in the Royal Gazette this past June, and the breach still exists (at least the last time I checked), albeit the risk has been mitigated. By this, I mean that the database was replaced with a blank database, but it was still accessible. I have been unable to locate this link again. However, a simple Google search for "site:gov.bm feedback" will reveal similar comment forms, in which user comments and questions are publicly available, and they are probably not intended to be.
For example: http://www.gov.bm/portal/server..pt/com_joomlalib/standalone/components/com_joomlalib/standalone/stubjambo.php/gateway/PTARGS_6_2_10533_216_226727_43/
You will notice that the URL specifies an invalid file path, "/server..pt/". However, there is a bug in the portal software. This bug, which is documented and has been fixed ages ago, is still present in the Bermuda Government portal. The fact that the webmasters have not patched the portal software is an act of ignorance and or willful negligence. It has allowed Google spiders to crawl and index all sorts of things which probably shouldn't be available to it. A bad person could probably do the same thing, and much worse.
