Re: [fw-wiz] Kinko's Waning Security

From: Ryan M. Ferris (rferris_at_rmfdevelopment.com)
Date: 04/22/04

  • Next message: S. Jonah Pressman: "Re: [fw-wiz] Kinko's Waning Security"
    To: "Paul D. Robertson" <paul@compuwar.net>
    Date: Thu, 22 Apr 2004 09:01:59 -0700 (Pacific Daylight Time)
    
    

    ...good patient advice as usual from Mr. Paul D. Robertson....however if
    even half the allegations made in this e-mail are true...then this letter
    is probably already in the hands of a Kinko's shareholder or some
    representative of the department of Homeland Security.

    " Finally, our brand spanking new business card approval system has the
    same username and password for every branch in the world. I can access
    my neighboring branch's system and authorize or delete all the orders
    I like..."

    This is too much for me to believe...I wonder if Kinko's contracts with
    the DoD or Homeland Security...?

    Ryan M. Ferris
    rferris@rmfnetworksecurity.com

    On Thu, 22 Apr 2004, Paul D. Robertson wrote:

    > On Wed, 21 Apr 2004, Chuck Vose wrote:
    >
    > > I work for Kinko's and I'm beginning to worry about the security from
    > > above. I would like to hear advice on how to request greater security
    > > when you have no buying power or authority at all (the copy guy
    > > downstairs doesn't get a whole lot of say over the network decisions).
    >
    > Getting security budget really needs to be a culture change for most large
    > organizations. Typically, there's a delicate balance between being the
    > guy who informs everyone, and being that pain-in-the-rear who used to work
    > here...
    >
    > For a business, the real key is risk, not security. How imenent are the
    > threats, how much do the protections cost, and which things should be
    > addressed first...
    >
    > > For instance, passwords are getting weaker and weaker. It used to be
    > > mandatory to have a 4 digit password to access the register, however
    > > it's been lowered to 1 digit. This seems like an incredibly bad idea.
    >
    > On the surface it does, since a random attacker has a 1-in-N chance of
    > figuring it out. However, a targeter of choice will likely get the
    > password anyway- and the bar to doing so is pretty low (camera, yellow
    > sticky, temp job...) So the real question is "how likely is an attacker
    > to randomly attack and try a one character password versus using another
    > method?"
    >
    > Reusable passwords suck, making them longer doesn't necessarily change
    > your overall risk very significantly at all in terms of real-world attacks.
    >
    > If everyone was writing down the longer passwords, then it changes it not
    > one bit.
    >
    > For a retail environment, I'd worry more about "How do I know it was
    > employee X instead of employee Y?" for things like register passwords.
    > The answer may well be "I have it on video."
    >
    > > Passwords on the email system and the internal core downloads have never
    > > changed. In fact, we wrote the password on a keyboard long, long ago and
    > > it's beginning to wear off just from people typing on it. I can't rub
    > > sharpie ink off with all the grit I can muster, yet it's wearing off
    > > through I can only assume erosion.
    >
    > Ah, see- here we have an example of why "strong" passwords suck! Someone
    > always writes them down- in indelible ink on the keyboard is unreal. I'd
    > consider putting a duress password on like that, or a false password that
    > kicked off IDS.
    >
    > > > Finally, our brand spanking new business card approval system has the
    > > same username and password for every branch in the world. I can access
    > > my neighboring branch's system and authorize or delete all the orders I
    > > like. Were I inclines I would make a fake order for 8 million business
    > > cards at another store, access the auth page, and let the store buy the
    > > cards. Once we release the store has to buy the cards even if they
    > > aren't sold, but the authorization process isn't limited at all. Hell
    > > customers will probably start doing their own cards once they figure out
    > > the system (which knowing the internet, won't be long).
    >
    > This one is probably worth a risk analysis paper. If you're going to do
    > one, and you want to stay employed, then I'd (a) never do anything that
    > could be construed wrongly, and (b) get approval from someone in
    > management *before* you write one. Propose it verbally first- then in
    > writing- and explain that you're going to do it all on paper, that you're
    > concerned for the business, etc.
    >
    > > What do you do when your employer is getting more and more stupid about
    > > security? I could go on about the problems, they touch into physical
    > > security, VLANs being the main security, poor password systems (in more
    > > than the items mentioned). In fact, Kinko's would probably make a fine
    > > "How not to secure your company" subject.
    >
    > If it's "Your problem" in that you're responsible for some part of it
    > (rather than the general "I work here, so I share responsibility," you do
    > what you can to fix it, or you find somewhere else to go.)
    >
    > > Compounded, I'm not sure that the manager will know or care. And I'm
    > > certain that our IT girl knows far less about it than he does. She
    > > doesn't know what spyware is nor why it's a problem for it to be on the
    > > ghost images that she uses once a month (there's viruses too).
    > >
    > > Help! Please!!
    >
    > I don't know if Kinkos is franchised or all company owned- if the latter,
    > then someone has to "own" security- but they likely don't own store
    > authority. That puts them in the fun spot. If you can figure out who it
    > is, or if there's an internal audit department with infosec
    > responsibility- then they're the folks who need to know. Unfortunately-
    > talking to audit is often (and I'm speaking from experience here) taken
    > the wrong way by executive management if they're under an audit[1].
    >
    > Here's an interesting approach-
    >
    > If you're in school (heck, I dunno- might be worth signing up to do it...)
    > ask if you can do a risk assessment as a research project for your
    > classes. However, balance the shock and awe with some *easy* and
    > *inexpensive* ways for the company to fix these problems. Handing someone
    > a laundry list of issues without any fixes is a sure way to end up the bad
    > guy.
    >
    > If the IT person isn't skilled, then educate them- but NOT by rooting
    > their machine and "proving" how bad things are. Explain about DDoS
    > attacks, machine hopping, and everything. Explain about spyware's use in
    > that, as well as the general trojan threat. Then give them 4 things (or
    > less) they can do to remove most of the risk. Make sure it's easy and
    > repeatable. I probably wouldn't refer to them as "IT girl" either- it
    > sets a bad tone, and layer 8[2] is more important than the first 7 layers.
    >
    > Success in the corporate world is measured one step at a time. Going all
    > out with the first push is more likely to fail than getting a step a month
    > for a year.
    >
    > Paul
    > [1.] I suppose it's considered poor form if the auditor has to have you
    > come into the CIO's office to explain the results of their audit.
    > [2.] The political layer.
    > -----------------------------------------------------------------------------
    > Paul D. Robertson "My statements in this message are personal opinions
    > paul@compuwar.net which may have no basis whatsoever in fact."
    > probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: S. Jonah Pressman: "Re: [fw-wiz] Kinko's Waning Security"

    Relevant Pages

    • Re: [fw-wiz] Kinkos Waning Security
      ... about corporate security. ... > your overall risk very significantly at all in terms of real-world attacks. ... > employee X instead of employee Y?" ... >>cards at another store, access the auth page, and let the store buy the ...
      (Firewall-Wizards)
    • RE: Why Easy To Use Software Is Putting You At Risk
      ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ...
      (Security-Basics)
    • RE: Why Easy To Use Software Is Putting You At Risk
      ... Why Easy To Use Software Is Putting You At Risk ... Four Construction Workers Died after Crane Collapse in Toledo, ... The first issue to address is yes you found a vulnerability and it was ... a Security Discussion board, that is what we do here. ...
      (Security-Basics)
    • More food for thought
      ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
      (comp.security.misc)
    • More food for thought
      ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
      (comp.os.ms-windows.nt.admin.security)