About
Community
Bad Ideas
Guns & Weapons
Irresponsible Activities
KA-FUCKING-BOOM!
Locks and Security
Scams and Rip-offs
Drugs
Ego
Erotica
Fringe
Society
Technology
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

Why Syngress.com Needs Hack Proofing

by DIzzIE

NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.

[c]opyleft 2003

Introduction

Syngress Publishing is one of the most renowned publishing houses in the IT field, perhaps best known for its assortment of ‘Hack Proofing’ books. Which is why it is all the more ironic that Syngress.com is itself vulnerable to intrusion, allowing anyone to obtain any of the ebooks offered for sale on its website for free, with no particular skill in Internet Security.

Starting Out

In order to be able to obtain any ebook Syngress offers, one must first have a membership to the Syngress Solutions (‘[email protected]) service: http://www.syngress.com/solutions/index.cfm. Membership is obtained by entering a serial number on the registration website, http://www.syngress.com/solutions/registration.cfm. A list of 10 possible serial numbers appears on the copyright page of all Syngress books in the following format (the serial numbers in this example are purely fictional):

KEY SERIAL NUMBER 001 D363OPQHZ89 002 10LAWOUVF5D (etc…)

The registration website prompts for a random key (1-10), and asks you for the corresponding serial number. Thus, when going to the library or bookstore, write down all ten serial numbers. Once you are registered, you have access to that particular book, in ebook format. Of course, you may add to your list of available books by entering more serial numbers, but the tedium of spending a day writing down serial numbers can surely be averted. And in fact, it can be due to a gaping flaw which will now be explained.

Robbing Syngress Blind

When you have registered, and logged in, you see the book whose serial number you inputted listed under ‘Registered Solutions Books.’ Clicking on the book link takes you to a website for the book, which allows you to download a PDF version of the book, as well as do a few other things such as submit a question to the author, download any CD content (if applicable) and so forth.

What is important is the site URL for the particular book. It will be in the format: http://www.syngress.com/solutions/587_Hack_Wifi/ (the last portion of the URL, /587_Hack_Wifi/ is the unique path assigned to the book, in this case the path is purely fictional). What if you knew what the other paths were? Well, then you would be able to obtain any book you wanted.

Browsing Syngress’ online book catalog, for example Syngress’s security literature section, http://www.syngress.com/marketing/security/ebooks.cfm, it is seen that for most books, the table of contents, along with a sample chapter is available. The TOC/Sample Chapter, are located in http://www.syngress.com/book_catalog/587_Hack_Wifi/ (once again the last path is fictional). What you should have noticed is that the path is identical to the one in the /solutions/ folder. Thus, to obtain a copy of any book, it is as simple as appending the book path that appears in the /book_catalog/ folder to the /solutions/ URL.

It is interesting to note that, the reason that you must register is that if one tries to access any book in /solutions/ without being a logged in, registered member, one gets redirected to the Solutions homepage, http://www.syngress.com/solutions/.

Solutions

Needless to say, this indiscretion is likely causing Syngress’ profit margins to deflate slowly but steadily. Not being an expert in Internet Security, I can nonetheless propose what seems to be a common sense economical solution that can be done within an hour: change the naming conventions for the books, i.e. make sure the book path in the /book_catalog/ folder does not coincide, or is not even remotely close to, the book path in the /solutions/ folder. I hope that this article has raised awareness of the existence of such miniscule ‘holes’ that are then too often overlooked…

 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
How to Really Succeed at Bad Ideas
burning a house down
succesfull lynch?
breaking into the white house?
Free Microsoft products W/O OWNING THEM!
My Latest Encounter with the Police.
The (real) truth about Night-Ops
The Great Butter Heist!!!
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS