To increase the adoption rate of Lotus Notes. To find out more about our Lotus Notes archiving and e-discovery systems, please CLICK HERE.

 
alt

Eugen Tarnow

 

Has Lotus Notes ever been hacked on a large scale?

Eugen Tarnow  August 16 2011 01:50:24 PM
I know that Google’s email platform, Gmail, has been hacked before. Google has actually been the victim of China-based cyber attacks against some high-profile inboxes. This is not surprising, though, as Sino-Google relations are tenuous to say the least.

Hearing negative news about a Lotus Notes competitor doesn’t make me feel better as a person because I don’t want anything bad to happen to anyone, but it does make me feel better as a professional. Also see this support question post in which an administrator talks about “hidden treasures” on an Exchange server, though I may have said all this too soon.

I wonder: has there ever been a notable cyber attack against a Lotus Notes system? I can’t think of one offhand. It seems that IBM’s system has been spared such problems for the most part. It’s certainly possible. Type “lotus notes hacking” into Google Search, and you’ll find some seedy websites that ethically should not be indexed. There was also that way to get inside onto a Lotus Notes user’s PC through a malicious email, though that problem was fixed. ReduceMail Pro, our mail management system, has never been hacked.

So, has there ever been a major cyber attack involving Lotus Notes? Or have you personally ever seen a Lotus Notes system get hacked?
Comments

1Tim Paque  8/16/2011 2:18:20 PM  Has Lotus Notes ever been hacked on a large scale?

Sort of, way back in R4.

Back when they first added web capabilities to Lotus Notes, anyone who had and ID without a password could log into that persons mailfile via the web with only a username.

Yes, this was also the fault of the incompetent Admins who shouldn't have allowed that. But it shouldn't have been possible in the first place.

It wasn't like one large single breach, it was thousands of little ones, that required very little effort.

2John Turnbow  8/16/2011 3:43:16 PM  Has Lotus Notes ever been hacked on a large scale?

I have never heard of on a Large scale, like Tim said not since R4...

Interesting history about ExxonMobil though, years ago they switched to Lotus Notes Mail due to a large breach on the Exxon side using Exchange, the Mobil side did NOT have any issues and lose any business using Lotus Notes. The Exxon side was down for a week! But get a new CIO and ExxonMobil spends $100 Mil to go to Exchange. So, a CIO decison over security. I'll bet the security guys at ExxonMobil are going crazy now... LOL

3Mat Newman  8/16/2011 5:00:32 PM  Has Lotus Notes ever been hacked on a large scale?

No.

'Lotus Notes' has never been hacked.

Some access had been gained through a browser using the Domino web-server add-in.

4Keith Brooks  8/16/2011 6:53:00 PM  Has Lotus Notes ever been hacked on a large scale?

As I discussed in my session at The View 2011 on hacking your server, there have been more internal issues than external.

That said poor administration and/or development habits can lead to issues, as can leaving your names.nsf on anything except no access for default and anonymous.

Once someone has access to the NAB anything is possible.

We have had lately attacks coming against LDAP and I reminded people to not use anonymous access, always use login/pw for LDAP.

Sometimes you get trojans and other SMTP issues but a serious hack against a database of corporate data, I would also have to go back to R5 or earlier perhaps.

Then again, who would admit it if it happenned?

5Jerry Carter  8/18/2011 9:33:03 AM  Has Lotus Notes ever been hacked on a large scale?

One other hack I'm aware of, also only small but potentially big would have been an internal one. My former co-worker (someone I still respect today) took advantage of a loose ECL which allowed others to modify local databases. He sent me a Meno form, as opposed to a Memo with a stored form and embedded code which he used to add himself as manager to an ACL on one of my databases and reduce me to Editor. Boy was I PO'd! I had a laugh though, made a really lame attempt to send the same kind of attack back to him but he had obviously secured himself against the hack.

Recent Comments