There have been many funny cases in my career. If you understand them, you can either become disillusioned with humanity, or pump up your sense of humor.
Passwords in plain text. I tested well—protected organizations with a mature level of information security – they had full-fledged external protection, thanks to which it seemed impossible to get into their internal infrastructure. But there was a loophole there too! Detected an unsafe configuration on wireless access points. I created a fake wireless access point with the same name as the customer, attacked the clients’ devices and offered them to authenticate to my access point, but using a protocol that allows you to get credentials in plain text and get into the internal network.
Disregard for security. One day, a colleague and I came to an internal pintest in a solid organization. We come to the information security department — a small room in which three people are sitting. The manager introduces us, leaves, and the guys say: here are the chairs, here is the locker, work, and we’ll go smoke — and just leave us, strangers, in their department, with all the data, keys and red buttons.
Phishing. In one company, employees managed to enter their passwords 15 times in a phishing window. We updated the web version of Outlook, everyone really wanted to get into it – no one was confused by the wrong phone number and changes in the color scheme of the window.
By the way, my first experience in redtiming just started with the fact that I opened one company with the help of phishing. So I’ll give you some security tips:
Do not open suspicious emails, check the sender’s address, do not click on questionable links.
Do not download programs from torrents, pay for software, use only licensed products.
Check which sites you are going to — whether the address is specified correctly, whether it is phishing.
Do not transmit passwords in clear text.
Do not leave the equipment unattended in unblocked mode, do not give anyone access to it.
Do not provide personal data or passwords over the phone.
Take your time. If someone has sent you an email and is trying to appeal to haste, profit or authority, it’s strange.