Follow up to our lovely USA today article about the “finagle vulnerability”…you remember they did a honeypot and “To hijack the Windows Small Business Server, the attacker finagled his way into a function of the Windows operating system that allows file sharing between computers. He then uploaded a program that gave him full control.”

Well at first I was thinking they purposely chose p-a-s-s-w-o-r-d as the password to get the system SMTP auth attacked [which, yes we ARE vulnerable for — remember CHOOSE PASSWORDS WELL like Dr. Jesper Johansson tells us to].  But it didn’t dawn on me what they really did to purposely get this box hacked.  They set it up with one network card and no firewall.  Yo, folks. READ THIS.

  • Because the Internet connection device is the default gateway to the Internet, the device must provide a firewall service or you must add a firewall device to protect your local network from unauthorized Internet access. In this topology, you cannot configure the firewall provided by Windows Small Business Server 2003 because the server is not the gateway to the Internet. If you want to use the firewall provided by Windows Small Business Server 2003, you must install a second network adapter in your server and use the topology shown in Figure 2.4. For more information, see Appendix B, “Understanding Your Network.”

Does everyone understand how totally bogus of a honeypot test this was?  They purposely set it up such that the file sharing ports were exposed as part of their server honeypot test.


We never EVER do that.  No self-respecting server does.  So for this article, the honeypot experiment was such a bogus test.  Did the article say in any place in that article how bogus of a test this was?


Sorry folks.. but I”m still blown away by this article and it’s content.


5 Responses to Dear USA Today…now the story is even better

  1. This is only confirms what I have always believed: that newspapers write stories in order to sell more newspapers! I mean that if you set up the server the way it is supposed to be set up and its safe, there is NO story.

    Let’s face it, anything not set up the way it is recommended can cause problems. If your car manufacturer recommends 30psi tyre pressure and you put in 50psi, you can’t be surprised when the first pot hole bounces you all over the place, or if you slide off at the first bend!

  2. Bill Sanderson says:

    Agreed–absolutely bogus. Even a novice setting up SBS-2003 for the first time would be have difficulty doing that. In fact, the novice would probably be behind a SOHO router, which also would have prevented the attack.

    This is poor reporting. Yes, you CAN set the box up that way. You can turn off the firewall in XP SP2, too. A reasonable reporting procedure would be to set the box up as recommended by the vendor. Most people setting up servers actually read (or have read) a good bit of the documentation.

  3. This feels like a newsgroup reaching for some mud to sling just so they can run a story to fill some blank space.


  4. Chad says:

    I’m waiting for a story on XYZ Company’s Auto Alarm – and how a thief was able to finagle their way around it. Of course, the story would fail to mention that even though the alarm was armed, the car was parked in the wrong part of town, all of the windows were left down, and the keys were left in the driver’s seat . . .

  5. […] things. Firstly, the Administrator password for that machine was “password”. Secondly, the server had a single network card and no firewall. […]