Skip to main content
0 Results Found
              Back To Results

                Lessons from the Field: Bug Tracking

                A company's bug tracking software posed as a major data security risk

                In the course of a recent external penetration test, one of Secureworks testing experts, Nate Drier, found through the use of enumeration that a popular bug tracking software was running on a web server.

                Unfortunately for the organization they didn't put this popular software behind a VPN, leaving it open to further enumeration of usernames. Granted it required a valid password to go with the username but that only served to be a minor hurdle in infiltrating this software.

                Once he was in, what Nate was able to collect on the organization could be very damaging and served as a lesson learned to the organization about putting internal tools out on the internet. Watch the video to learn more.

                Video Transcript:

                We were doing an external penetration test for our client and through the course of enumeration we found they had this really popular bug track software installed on one of their web servers and there is a function of the software that lets you enumerate usernames without being logged in. So the rest of the software is password protected before you can log in and submit tickets, so you had to know valid usernames and passwords, but you could enumerate usernames as anyone on the internet. So using some off the shelf tools we were able to enumerate over one thousand usernames.

                Once we had a list of usernames we just tried passwords like password1 and low and behold it led us into one of the accounts, so now we were able to log into this bug tracking software and view tickets, we were able to gain additional usernames and passwords, look at code snippets and see all sorts of other internal information. So in general with things pushed out to the internet, if those don't need to be customer facing, it's best to put those behind a VPN that way in this case we wouldn't have been able to access the portions that application needed to enumerate usernames in the first place.

                We generate around 2 billion events each month. With Secureworks, we are able to crunch down that number to 20-30 high fidelity alerts — and that makes my team's job much easier.
                Sunil Saale, Head of Cyber and Information Security, Minter Ellison
                With Secureworks Taegis ManagedXDR, I have the peace of mind that my environment is being monitored 24x7 and if a threat actor tries to attack Secureworks will alert me, quickly investigate, and collaborate to fully resolve before damage can be done.
                Jerry Ryan, VP of IT, We Florida Financial

                Why Secureworks?

                Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that protects customer progress with Secureworks® Taegis™, a cloud-native security analytics platform built on 20+ years of real-world threat intelligence and research, improving customers’ ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.

                Close Modal
                Close Modal