Re: [fw-wiz] Kinko's Waning Security

• Previous message: Losinski, Robert: "RE: [fw-wiz] PocketPC firewalls"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Kinko's Waning Security"
• Next in thread: Paul D. Robertson: "Re: [fw-wiz] Kinko's Waning Security"
• Reply: Paul D. Robertson: "Re: [fw-wiz] Kinko's Waning Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Paul D. Robertson" <paul@compuwar.net>
Date: Thu, 22 Apr 2004 09:01:59 -0700 (Pacific Daylight Time)

...good patient advice as usual from Mr. Paul D. Robertson....however if
even half the allegations made in this e-mail are true...then this letter
is probably already in the hands of a Kinko's shareholder or some
representative of the department of Homeland Security.

" Finally, our brand spanking new business card approval system has the
same username and password for every branch in the world. I can access
my neighboring branch's system and authorize or delete all the orders
I like..."

This is too much for me to believe...I wonder if Kinko's contracts with
the DoD or Homeland Security...?

Ryan M. Ferris
rferris@rmfnetworksecurity.com

On Thu, 22 Apr 2004, Paul D. Robertson wrote:

> On Wed, 21 Apr 2004, Chuck Vose wrote:
>
> > I work for Kinko's and I'm beginning to worry about the security from
> > above. I would like to hear advice on how to request greater security
> > when you have no buying power or authority at all (the copy guy
> > downstairs doesn't get a whole lot of say over the network decisions).
>
> Getting security budget really needs to be a culture change for most large
> organizations. Typically, there's a delicate balance between being the
> guy who informs everyone, and being that pain-in-the-rear who used to work
> here...
>
> For a business, the real key is risk, not security. How imenent are the
> threats, how much do the protections cost, and which things should be
> addressed first...
>
> > For instance, passwords are getting weaker and weaker. It used to be
> > mandatory to have a 4 digit password to access the register, however
> > it's been lowered to 1 digit. This seems like an incredibly bad idea.
>
> On the surface it does, since a random attacker has a 1-in-N chance of
> figuring it out. However, a targeter of choice will likely get the
> password anyway- and the bar to doing so is pretty low (camera, yellow
> sticky, temp job...) So the real question is "how likely is an attacker
> to randomly attack and try a one character password versus using another
> method?"
>
> Reusable passwords suck, making them longer doesn't necessarily change
> your overall risk very significantly at all in terms of real-world attacks.
>
> If everyone was writing down the longer passwords, then it changes it not
> one bit.
>
> For a retail environment, I'd worry more about "How do I know it was
> employee X instead of employee Y?" for things like register passwords.
> The answer may well be "I have it on video."
>
> > Passwords on the email system and the internal core downloads have never
> > changed. In fact, we wrote the password on a keyboard long, long ago and
> > it's beginning to wear off just from people typing on it. I can't rub
> > sharpie ink off with all the grit I can muster, yet it's wearing off
> > through I can only assume erosion.
>
> Ah, see- here we have an example of why "strong" passwords suck! Someone
> always writes them down- in indelible ink on the keyboard is unreal. I'd
> consider putting a duress password on like that, or a false password that
> kicked off IDS.
>
> > > Finally, our brand spanking new business card approval system has the
> > same username and password for every branch in the world. I can access
> > my neighboring branch's system and authorize or delete all the orders I
> > like. Were I inclines I would make a fake order for 8 million business
> > cards at another store, access the auth page, and let the store buy the
> > cards. Once we release the store has to buy the cards even if they
> > aren't sold, but the authorization process isn't limited at all. Hell
> > customers will probably start doing their own cards once they figure out
> > the system (which knowing the internet, won't be long).
>
> This one is probably worth a risk analysis paper. If you're going to do
> one, and you want to stay employed, then I'd (a) never do anything that
> could be construed wrongly, and (b) get approval from someone in
> management *before* you write one. Propose it verbally first- then in
> writing- and explain that you're going to do it all on paper, that you're
> concerned for the business, etc.
>
> > What do you do when your employer is getting more and more stupid about
> > security? I could go on about the problems, they touch into physical
> > security, VLANs being the main security, poor password systems (in more
> > than the items mentioned). In fact, Kinko's would probably make a fine
> > "How not to secure your company" subject.
>
> If it's "Your problem" in that you're responsible for some part of it
> (rather than the general "I work here, so I share responsibility," you do
> what you can to fix it, or you find somewhere else to go.)
>
> > Compounded, I'm not sure that the manager will know or care. And I'm
> > certain that our IT girl knows far less about it than he does. She
> > doesn't know what spyware is nor why it's a problem for it to be on the
> > ghost images that she uses once a month (there's viruses too).
> >
> > Help! Please!!
>
> I don't know if Kinkos is franchised or all company owned- if the latter,
> then someone has to "own" security- but they likely don't own store
> authority. That puts them in the fun spot. If you can figure out who it
> is, or if there's an internal audit department with infosec
> responsibility- then they're the folks who need to know. Unfortunately-
> talking to audit is often (and I'm speaking from experience here) taken
> the wrong way by executive management if they're under an audit[1].
>
> Here's an interesting approach-
>
> If you're in school (heck, I dunno- might be worth signing up to do it...)
> ask if you can do a risk assessment as a research project for your
> classes. However, balance the shock and awe with some *easy* and
> *inexpensive* ways for the company to fix these problems. Handing someone
> a laundry list of issues without any fixes is a sure way to end up the bad
> guy.
>
> If the IT person isn't skilled, then educate them- but NOT by rooting
> their machine and "proving" how bad things are. Explain about DDoS
> attacks, machine hopping, and everything. Explain about spyware's use in
> that, as well as the general trojan threat. Then give them 4 things (or
> less) they can do to remove most of the risk. Make sure it's easy and
> repeatable. I probably wouldn't refer to them as "IT girl" either- it
> sets a bad tone, and layer 8[2] is more important than the first 7 layers.
>
> Success in the corporate world is measured one step at a time. Going all
> out with the first push is more likely to fail than getting a step a month
> for a year.
>
> Paul
> [1.] I suppose it's considered poor form if the auditor has to have you
> come into the CIO's office to explain the results of their audit.
> [2.] The political layer.
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Losinski, Robert: "RE: [fw-wiz] PocketPC firewalls"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Kinko's Waning Security"
• Next in thread: Paul D. Robertson: "Re: [fw-wiz] Kinko's Waning Security"
• Reply: Paul D. Robertson: "Re: [fw-wiz] Kinko's Waning Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]