Re: [fw-wiz] Kinko's Waning Security
From: Ryan M. Ferris (rferris_at_rmfdevelopment.com)
To: "Paul D. Robertson" <firstname.lastname@example.org> Date: Thu, 22 Apr 2004 09:01:59 -0700 (Pacific Daylight Time)
...good patient advice as usual from Mr. Paul D. Robertson....however if
even half the allegations made in this e-mail are true...then this letter
is probably already in the hands of a Kinko's shareholder or some
representative of the department of Homeland Security.
" Finally, our brand spanking new business card approval system has the
same username and password for every branch in the world. I can access
my neighboring branch's system and authorize or delete all the orders
This is too much for me to believe...I wonder if Kinko's contracts with
the DoD or Homeland Security...?
Ryan M. Ferris
On Thu, 22 Apr 2004, Paul D. Robertson wrote:
> On Wed, 21 Apr 2004, Chuck Vose wrote:
> > I work for Kinko's and I'm beginning to worry about the security from
> > above. I would like to hear advice on how to request greater security
> > when you have no buying power or authority at all (the copy guy
> > downstairs doesn't get a whole lot of say over the network decisions).
> Getting security budget really needs to be a culture change for most large
> organizations. Typically, there's a delicate balance between being the
> guy who informs everyone, and being that pain-in-the-rear who used to work
> For a business, the real key is risk, not security. How imenent are the
> threats, how much do the protections cost, and which things should be
> addressed first...
> > For instance, passwords are getting weaker and weaker. It used to be
> > mandatory to have a 4 digit password to access the register, however
> > it's been lowered to 1 digit. This seems like an incredibly bad idea.
> On the surface it does, since a random attacker has a 1-in-N chance of
> figuring it out. However, a targeter of choice will likely get the
> password anyway- and the bar to doing so is pretty low (camera, yellow
> sticky, temp job...) So the real question is "how likely is an attacker
> to randomly attack and try a one character password versus using another
> Reusable passwords suck, making them longer doesn't necessarily change
> your overall risk very significantly at all in terms of real-world attacks.
> If everyone was writing down the longer passwords, then it changes it not
> one bit.
> For a retail environment, I'd worry more about "How do I know it was
> employee X instead of employee Y?" for things like register passwords.
> The answer may well be "I have it on video."
> > Passwords on the email system and the internal core downloads have never
> > changed. In fact, we wrote the password on a keyboard long, long ago and
> > it's beginning to wear off just from people typing on it. I can't rub
> > sharpie ink off with all the grit I can muster, yet it's wearing off
> > through I can only assume erosion.
> Ah, see- here we have an example of why "strong" passwords suck! Someone
> always writes them down- in indelible ink on the keyboard is unreal. I'd
> consider putting a duress password on like that, or a false password that
> kicked off IDS.
> > > Finally, our brand spanking new business card approval system has the
> > same username and password for every branch in the world. I can access
> > my neighboring branch's system and authorize or delete all the orders I
> > like. Were I inclines I would make a fake order for 8 million business
> > cards at another store, access the auth page, and let the store buy the
> > cards. Once we release the store has to buy the cards even if they
> > aren't sold, but the authorization process isn't limited at all. Hell
> > customers will probably start doing their own cards once they figure out
> > the system (which knowing the internet, won't be long).
> This one is probably worth a risk analysis paper. If you're going to do
> one, and you want to stay employed, then I'd (a) never do anything that
> could be construed wrongly, and (b) get approval from someone in
> management *before* you write one. Propose it verbally first- then in
> writing- and explain that you're going to do it all on paper, that you're
> concerned for the business, etc.
> > What do you do when your employer is getting more and more stupid about
> > security? I could go on about the problems, they touch into physical
> > security, VLANs being the main security, poor password systems (in more
> > than the items mentioned). In fact, Kinko's would probably make a fine
> > "How not to secure your company" subject.
> If it's "Your problem" in that you're responsible for some part of it
> (rather than the general "I work here, so I share responsibility," you do
> what you can to fix it, or you find somewhere else to go.)
> > Compounded, I'm not sure that the manager will know or care. And I'm
> > certain that our IT girl knows far less about it than he does. She
> > doesn't know what spyware is nor why it's a problem for it to be on the
> > ghost images that she uses once a month (there's viruses too).
> > Help! Please!!
> I don't know if Kinkos is franchised or all company owned- if the latter,
> then someone has to "own" security- but they likely don't own store
> authority. That puts them in the fun spot. If you can figure out who it
> is, or if there's an internal audit department with infosec
> responsibility- then they're the folks who need to know. Unfortunately-
> talking to audit is often (and I'm speaking from experience here) taken
> the wrong way by executive management if they're under an audit.
> Here's an interesting approach-
> If you're in school (heck, I dunno- might be worth signing up to do it...)
> ask if you can do a risk assessment as a research project for your
> classes. However, balance the shock and awe with some *easy* and
> *inexpensive* ways for the company to fix these problems. Handing someone
> a laundry list of issues without any fixes is a sure way to end up the bad
> If the IT person isn't skilled, then educate them- but NOT by rooting
> their machine and "proving" how bad things are. Explain about DDoS
> attacks, machine hopping, and everything. Explain about spyware's use in
> that, as well as the general trojan threat. Then give them 4 things (or
> less) they can do to remove most of the risk. Make sure it's easy and
> repeatable. I probably wouldn't refer to them as "IT girl" either- it
> sets a bad tone, and layer 8 is more important than the first 7 layers.
> Success in the corporate world is measured one step at a time. Going all
> out with the first push is more likely to fail than getting a step a month
> for a year.
> [1.] I suppose it's considered poor form if the auditor has to have you
> come into the CIO's office to explain the results of their audit.
> [2.] The political layer.
> Paul D. Robertson "My statements in this message are personal opinions
> email@example.com which may have no basis whatsoever in fact."
> firstname.lastname@example.org Director of Risk Assessment TruSecure Corporation
> firewall-wizards mailing list
firewall-wizards mailing list