depicus

changing the digital world one bit at a time...

Blants (noun) the rants of a blogger

  1. Joint Waste Solutions – Piss Poor Security & Why Amey Nor Surrey Heath Borough Council Care

    June 14, 2018 by The Man

    I come across a few web sites with errors or issues and normally I’ll eventually find somebody to report those errors to and some are great, will fix and thank you, others will just fix and some never bother and their sites still have issues but the vast majority are not so piss poor secure I just move on. I don’t need to be thanked just for them to fix their sites.

    So over a month ago (may 2018) I came to https://www.jointwastesolutions.org so I could sign up for green waste collection, all pretty mundane until I tried to register on the redirect at https://jointwastesolutions.amcsgroup.com and it threw an error. Of course anybody who has ever worked with Windows, IIS and ASP.NET the first thing you should do is make sure custom errors are turned on, indeed they are now by default so somebody has gone out of their way to make the site less secure.

    The main reason for turning on custom errors is that without your site exposes information. In this case we can see that the site is running ASP.NET v4.6.1 which is currently 4 version out of date. It also shows that the server is using Windows 2012 which is “End of Life” in October 2018. So outdated software on a server running a nearly EoL operating system. A quick scan of the server shows it may not have been rebooted for over 400 days – so no Windows Updates !!!

    Well then let’s just hope it was set up securely….

    Nothing has been done to even remotely secure the server which leaves it open to all sorts of compromises e.g. cross site scripting. As you can see this cloud based server fails miserably.

    https://securityheaders.com/?q=jointwastesolutions.amcsgroup.com&followRedirects=on

    But at least it’s using SSL I hear you cry…. yes but much like the proverbial chocolate fireguard it’s so poorly configured as to make it almost pointless. It still uses SSL v3, is vulnerable to DROWN and POODLE, supports piss weak encryption. Now I never got as far as being able to put in credit card details or even bank details but this is clearly not PCI-DSS compliant.

    https://www.ssllabs.com/ssltest/analyze.html?d=jointwastesolutions.amcsgroup.com&latest

    You’d think that a company would be happy for somebody to quietly point out their errors but so far other a month I’ve been told by Amey’s social media team that they would pass on the information, and when nothing happened they just ignored me. Surrey Heath Borough Council originally told me as this was reported before 25th May 2018 it was not covered by the GDPR !!! So I emailed both data protection officers with the information and Amey have yet to reply and SHBC have sent two holding emails.

    I’m still trying to get to the ICO https://ico.org.uk but they seem very busy – let’s hope somebody else doesn’t or hasn’t found this childishly comically configured server. Personally I’d treat the server as compromised but then I’m averagely good at my job.


  2. Why Windows 10 is poor

    December 10, 2015 by The Man

    I loved XP and Windows 7 and there is a lot to like with Windows 10 but sometimes you see something and you just think WTF !!!

    Windows Updates WTF

    So you couldn’t install updates because my pc was turned off, no shit Sherlock. At least it’s better than the metro app update screen which gives you no clue whatsoever.

    Are You Doing Anything


  3. Delete Metro Apps from Windows 10

    November 9, 2015 by The Man

    If you work in a SME and have had the pleasure of Windows 10 you’ll know that Metro (yes I know it’s not called Metro anymore) apps can be a pita and seem to have huge updates at regular intervals. 120+ mb per machine (no WUS for these apps yet) can take up a lot of valuable bandwidth and let’s not even get started about the security concerns. Indeed these apps seem to be designed with individuals in mind but not companies, I don’t want to log in with a Microsoft account just to update and secure these apps. So let’s just delete them.

    That should fix at least one of the problems with Windows 10.


  4. Visual Web Developer Express 2013 or 2015 ?

    December 9, 2014 by The Man

    Well looks like Visual Studio is going through puberty… despite suggesting we were installing 2015 it was as stated further down 2013…maybe…

    vs

    And once the install was finished we seem to have twins…

    vs2015

    Once opened we did indeed have 2013 🙂


  5. Worry about who has your data….

    October 13, 2014 by The Man

    Ok this time all the info was publicly available anyway but just remember next time you share your data online it could end up on any web site.

    Screen Shot 2014-10-12 at 18.41.17

    Now chiptiming.co.uk have gone out of their way to enable remote debugging despite everything you are ever told about allowing such things. So would you trust your data with a third party who has no idea on security ?


  6. Error 0x800f0922 when trying to install DHCP on Windows 2012

    October 2, 2014 by The Man

    Thanks Microsoft for this really informative error screen but it basically means there is another DHCP server on the network so you cannot install until you stop it.

    Now ideally I would get a better error message or heaven forbid allow the install so I can configure then I could choose to shut the old DHCP server down when I make this active.

    Screen Shot 2014-10-02 at 20.34.57