Pwned
Coverage of Pwned in the Nexus archive.
- Hackers shoveled snow for company, were rewarded with network admin access
Two red teamers gained unauthorized access to a company's network by pretending to be IT employees and shoveling snow. They used a Raspberry Pi to breach the network, hiding it in a conference room, but the breach was detected the next day.
- Zombie user account let hackers control the city’s water
A municipality's water utility was compromised by hackers who gained access through a dormant employee account belonging to a former auditor named Greg. The attacker exploited a leaked password that Greg had reused across work and personal accounts, gaining extensive privileges including domain admin and SCADA operator access. The incident highlights critical failures in account management and the importance of regular access audits.
- Finance company stores DB credentials in helpfully labeled spreadsheet
A finance company stored sensitive database credentials in an Excel file with weak password protection, leading to a security breach. The article criticizes this poor security practice, highlighting the vulnerability of sensitive information in inadequately protected spreadsheets.
- Sharing isn’t caring if it’s an admin password
The article discusses the risks of sharing admin passwords, highlighting how poor security practices by developers can lead to significant vulnerabilities. It references the 'PWNED' column, which showcases examples of bad server security decisions.
- Server-room lock was nothing but a crock
The article criticizes a security vulnerability caused by inadequate physical security measures, specifically an unlocked server room, leading to a breach. It highlights the importance of physical security as a critical component of overall cybersecurity.
- Sticky-note security turned gym into hall of '80s horrors
A gym's fitness equipment was compromised due to exposed security credentials, highlighting vulnerabilities in physical spaces. The incident is featured in the 'Pwned' column, which shares IT security mishap stories.