Re: [fw-wiz] Kinko's Waning Security

From: Ryan M. Ferris (rferris_at_rmfdevelopment.com)
Date: 04/22/04

  • Next message: S. Jonah Pressman: "Re: [fw-wiz] Kinko's Waning Security"
    To: "Paul D. Robertson" <paul@compuwar.net>
    Date: Thu, 22 Apr 2004 09:01:59 -0700 (Pacific Daylight Time)
    
    

    ...good patient advice as usual from Mr. Paul D. Robertson....however if
    even half the allegations made in this e-mail are true...then this letter
    is probably already in the hands of a Kinko's shareholder or some
    representative of the department of Homeland Security.

    " Finally, our brand spanking new business card approval system has the
    same username and password for every branch in the world. I can access
    my neighboring branch's system and authorize or delete all the orders
    I like..."

    This is too much for me to believe...I wonder if Kinko's contracts with
    the DoD or Homeland Security...?

    Ryan M. Ferris
    rferris@rmfnetworksecurity.com

    On Thu, 22 Apr 2004, Paul D. Robertson wrote:

    > On Wed, 21 Apr 2004, Chuck Vose wrote:
    >
    > > I work for Kinko's and I'm beginning to worry about the security from
    > > above. I would like to hear advice on how to request greater security
    > > when you have no buying power or authority at all (the copy guy
    > > downstairs doesn't get a whole lot of say over the network decisions).
    >
    > Getting security budget really needs to be a culture change for most large
    > organizations. Typically, there's a delicate balance between being the
    > guy who informs everyone, and being that pain-in-the-rear who used to work
    > here...
    >
    > For a business, the real key is risk, not security. How imenent are the
    > threats, how much do the protections cost, and which things should be
    > addressed first...
    >
    > > For instance, passwords are getting weaker and weaker. It used to be
    > > mandatory to have a 4 digit password to access the register, however
    > > it's been lowered to 1 digit. This seems like an incredibly bad idea.
    >
    > On the surface it does, since a random attacker has a 1-in-N chance of
    > figuring it out. However, a targeter of choice will likely get the
    > password anyway- and the bar to doing so is pretty low (camera, yellow
    > sticky, temp job...) So the real question is "how likely is an attacker
    > to randomly attack and try a one character password versus using another
    > method?"
    >
    > Reusable passwords suck, making them longer doesn't necessarily change
    > your overall risk very significantly at all in terms of real-world attacks.
    >
    > If everyone was writing down the longer passwords, then it changes it not
    > one bit.
    >
    > For a retail environment, I'd worry more about "How do I know it was
    > employee X instead of employee Y?" for things like register passwords.
    > The answer may well be "I have it on video."
    >
    > > Passwords on the email system and the internal core downloads have never
    > > changed. In fact, we wrote the password on a keyboard long, long ago and
    > > it's beginning to wear off just from people typing on it. I can't rub
    > > sharpie ink off with all the grit I can muster, yet it's wearing off
    > > through I can only assume erosion.
    >
    > Ah, see- here we have an example of why "strong" passwords suck! Someone
    > always writes them down- in indelible ink on the keyboard is unreal. I'd
    > consider putting a duress password on like that, or a false password that
    > kicked off IDS.
    >
    > > > Finally, our brand spanking new business card approval system has the
    > > same username and password for every branch in the world. I can access
    > > my neighboring branch's system and authorize or delete all the orders I
    > > like. Were I inclines I would make a fake order for 8 million business
    > > cards at another store, access the auth page, and let the store buy the
    > > cards. Once we release the store has to buy the cards even if they
    > > aren't sold, but the authorization process isn't limited at all. Hell
    > > customers will probably start doing their own cards once they figure out
    > > the system (which knowing the internet, won't be long).
    >
    > This one is probably worth a risk analysis paper. If you're going to do
    > one, and you want to stay employed, then I'd (a) never do anything that
    > could be construed wrongly, and (b) get approval from someone in
    > management *before* you write one. Propose it verbally first- then in
    > writing- and explain that you're going to do it all on paper, that you're
    > concerned for the business, etc.
    >
    > > What do you do when your employer is getting more and more stupid about
    > > security? I could go on about the problems, they touch into physical
    > > security, VLANs being the main security, poor password systems (in more
    > > than the items mentioned). In fact, Kinko's would probably make a fine
    > > "How not to secure your company" subject.
    >
    > If it's "Your problem" in that you're responsible for some part of it
    > (rather than the general "I work here, so I share responsibility," you do
    > what you can to fix it, or you find somewhere else to go.)
    >
    > > Compounded, I'm not sure that the manager will know or care. And I'm
    > > certain that our IT girl knows far less about it than he does. She
    > > doesn't know what spyware is nor why it's a problem for it to be on the
    > > ghost images that she uses once a month (there's viruses too).
    > >
    > > Help! Please!!
    >
    > I don't know if Kinkos is franchised or all company owned- if the latter,
    > then someone has to "own" security- but they likely don't own store
    > authority. That puts them in the fun spot. If you can figure out who it
    > is, or if there's an internal audit department with infosec
    > responsibility- then they're the folks who need to know. Unfortunately-
    > talking to audit is often (and I'm speaking from experience here) taken
    > the wrong way by executive management if they're under an audit[1].
    >
    > Here's an interesting approach-
    >
    > If you're in school (heck, I dunno- might be worth signing up to do it...)
    > ask if you can do a risk assessment as a research project for your
    > classes. However, balance the shock and awe with some *easy* and
    > *inexpensive* ways for the company to fix these problems. Handing someone
    > a laundry list of issues without any fixes is a sure way to end up the bad
    > guy.
    >
    > If the IT person isn't skilled, then educate them- but NOT by rooting
    > their machine and "proving" how bad things are. Explain about DDoS
    > attacks, machine hopping, and everything. Explain about spyware's use in
    > that, as well as the general trojan threat. Then give them 4 things (or
    > less) they can do to remove most of the risk. Make sure it's easy and
    > repeatable. I probably wouldn't refer to them as "IT girl" either- it
    > sets a bad tone, and layer 8[2] is more important than the first 7 layers.
    >
    > Success in the corporate world is measured one step at a time. Going all
    > out with the first push is more likely to fail than getting a step a month
    > for a year.
    >
    > Paul
    > [1.] I suppose it's considered poor form if the auditor has to have you
    > come into the CIO's office to explain the results of their audit.
    > [2.] The political layer.
    > -----------------------------------------------------------------------------
    > Paul D. Robertson "My statements in this message are personal opinions
    > paul@compuwar.net which may have no basis whatsoever in fact."
    > probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: S. Jonah Pressman: "Re: [fw-wiz] Kinko's Waning Security"