0 / 10 flipped
Open Permissions
Tap to reveal
An access control misconfiguration in which a resource (cloud storage bucket, file share, directory) allows access to more users than intended β up to and including the public internet. Requires no exploit: the data is simply accessible because the permission says it is. Defining example: 2017 Verizon breach β 14 million customer records in a publicly readable Amazon S3 bucket configured by a third-party contractor. No credentials needed; any browser could download the data.
Verizon S3 Breach (2017) β What Actually Happened
Tap to reveal
A contractor (NICE Systems) configured an Amazon S3 bucket containing Verizon customer data with public read access β meaning any browser could read it without authentication. Approximately 14 million customer records were exposed, including names, account details, and customer PIN numbers used for phone authentication. A security researcher from UpGuard discovered it by scanning for misconfigured buckets. No exploit, no credential theft β just a wrong access control setting. This is the benchmark case for open permissions misconfiguration.
Root (Linux) vs. Administrator (Windows)
Tap to reveal
Both are built-in superuser accounts with unrestricted access to the system. Their names are universally known, making them prime targets for brute force. Root (Linux/Unix): disable direct SSH root login; use named accounts + sudo. Administrator (Windows): disable or rename the built-in Administrator account; use named admin accounts with UAC elevation. Both: enforce strong unique passwords, MFA, and least-privilege β minimize the total number of accounts with admin rights.
su vs. sudo
Tap to reveal
su (substitute user): switches to another account entirely, authenticated by the target account's password. Using "su root" requires knowing root's password. sudo (superuser do): runs a single command with elevated privileges, authenticated by the invoking user's own password. Sudo maintains a fine-grained audit trail (who ran what command when) and grants only what's needed. Best practice: disable direct root login and grant specific users sudo rights for specific commands rather than full root access. Both create audit trails that direct root login does not.
Insecure Protocols β The Four to Know
Tap to reveal
Telnet (port 23): remote terminal, all traffic in cleartext β replace with SSH (port 22). FTP (port 21): file transfer, credentials and data in cleartext β replace with SFTP (port 22) or FTPS. IMAP (port 143): email retrieval, credentials in cleartext β replace with IMAPS (port 993). SMTP (port 25) without TLS: email sending in cleartext β require STARTTLS or SMTPS (port 465/587). Each cleartext protocol is transparent to any attacker who can capture network traffic β packet capture tools like Wireshark can extract credentials with no special privileges.
DEFCON Wall of Sheep
Tap to reveal
A demonstration at the annual DEFCON security conference in which researchers monitor the conference network for cleartext authentication traffic. Credentials harvested from insecure protocols (Telnet, FTP, IMAP, HTTP) are displayed publicly in real time β email addresses and partial passwords on a large screen. At DEFCON 22, security professionals' own email credentials were displayed. The lesson: insecure protocols expose credentials to passive network observation regardless of user awareness. The fix is configuration (require IMAPS/SMTPS, disable plain IMAP/SMTP), not training.
Default Settings / Default Credentials
Tap to reveal
Hardware and software ship with factory-default credentials and configurations documented in publicly available vendor manuals. Default credential combinations (admin/admin, root/root, admin/1234, device-specific strings) are compiled into attack tools. A device with unchanged defaults does not need to be "exploited" β the attacker just uses the credentials that came in the box. Rule: change all credentials before deployment. Never connect a device to a network with factory defaults intact. Applies to routers, switches, cameras, IoT devices, VoIP phones, management interfaces, and all software.
Mirai Botnet
Tap to reveal
A 2016 malware strain that exploited default IoT credentials at internet scale. Mirai used ~60 hardcoded default credential combinations to automatically log into cameras, routers, doorbells, DVRs, and garage door openers over Telnet β no brute force, just the factory defaults. Infected devices were enrolled in a botnet that launched the October 2016 DDoS attack on Dyn DNS, disrupting Twitter, Netflix, Reddit, and GitHub. The source code was publicly released after the attack, making the technique available to anyone. Mirai demonstrated that widespread default credential misconfiguration is a critical infrastructure threat.
Open Ports and Services
Tap to reveal
Every open network port is a running service β and a potential entry point for attackers. Firewall rulesets manage port accessibility, but accumulate over time: rules are added for new services and projects but rarely removed when those services end. The result is a complex ruleset with open ports that serve no current business purpose. Defense: apply default-deny (block everything, explicitly allow what's needed); conduct periodic firewall audits to identify and close stale rules; document the business justification for every open port; decommission services when no longer needed.
Firewall Rule Creep
Tap to reveal
The gradual accumulation of firewall rules over time without corresponding cleanup. Every new service, vendor, or project adds rules. When the project ends or the vendor leaves, the rules typically remain β no one is responsible for removing them, and removing them feels risky. Over months and years, the ruleset becomes a complex mixture of current and historical rules that no longer accurately reflects policy. The result: open ports and access paths that shouldn't exist. Solution: scheduled periodic audits (quarterly or annually), required business owner for each rule, and automatic expiration on rules created for temporary purposes.