Re: [fw-wiz] Waning Security

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 04/23/04

  • Next message: Mark Renouf: "[fw-wiz] TCP issue with PF & SACK"
    To: Frederick M Avolio <fred@avolio.com>
    Date: Thu, 22 Apr 2004 21:43:03 -0400 (EDT)
    
    

    On Thu, 22 Apr 2004, Frederick M Avolio wrote:

    > At 04:43 PM 4/22/2004 -0400, Paul D. Robertson wrote:
    > >It was asking for advice, and while many may see it as "dirty laundry,"
    > >that's more because they're holding pre-conceived notions about how much
    > >information is already out there.
    >
    > I'm not. I think this list has shown maturity in thinking. If it was my
    > company, he'd be fired for lack his exceedingly poor judgement. And shifing
    > from the poster (him) to the post ("It") doesn't fool anyone. :-)

    If businesses fired people for "poor judgement," there'd be nobody in
    management, sales, or marketing ;)

    > > Simple obscurity isn't going to help-
    >
    > Bogon alert. Broadcasting inside-verified holes in security isn't either.

    Depends on what the outcome is- if this gets them fixed, or if this was
    helpful enough to the original poster to get them fixed, then it just
    might. There was one part that was, in my mind anyway, questionable, the
    rest wasn't anything surprising, or all that damaging, and I can get more
    information from hanging out at a bar 2 doors down from a Kinkos.

    Going from say 50,000 people who know this (and that number's probably
    low) to say 60,000 (and that delta's probably high) just does not change
    the threat that significantly.

    The bar to get this info just isn't that high. There are what, 1200 or so
    stores, and they probably get huge turnover, so I'm guessing that most of
    the "revelations" are known to at least 250,000 people and possibly their
    friends (for the ones that aren't store-specific.)

    I'd also hazard to guess that you could go into a store with a survey
    that asked all the right questions and get >30% of the employees to fill
    it out while they're copying it. "Hi, I'm doing an anonymous survey, and
    I need to have it copied, can you fill one out and make me 100 blank
    copies?" would probably work 99% of the time against the minimum wage
    folks working there at 2am.

    [snip]
    >
    > I don't think it was bad. I think it was foolish.
    >

    If it's not bad, it's not a termination offense. If you can't stop the
    100 people who just quit working at the company today from divulging the
    same info, it's not confidential. If more than 10,000 people know it,
    it's not a secret.

    > >It may be popular to sensationalize "Leaking information!" but let me tell
    > >you- anyone who thinks the attacker community hasn't already profiled
    > >places like the one in question is _kidding_themselves_.
    >
    > Okay, you can't bait me. :-) I don't buy it.

    Kinkos laid off a large number of employees in 2001- that's a lot of
    gruntles to be dising. We all know that disgruntles are trouble. Lots of
    those people are in a social position to compromise via current employees.
    A large number of "Who did what" stuff that I get is from former
    employees, I can't imagine a scenario where they've got some magic thing
    that makes it not happen to them.

    Here's enough information to plan lots of badness:

    http://www.lantronix.com/news/news/std_reprint.html

    Lamo did some of his deeds from Kinkos, think he couldn't profile the
    places he did his scanning from?

    From USENET, here are two simple posts:

    ----------------

    >
    >Does anyone have some ideas about hacking the software that Kinko's (the
    24-7
    >rent-a-Mac and laser printer outfit) employs to keep track of a
    customer's
    >expended time online and printer output?
    >

    This may not work at all Kinko', but at the one where I work, you can
    just force Desk Tracy to quit like any other application. I haven't messed
    around with it too much cuz I have the password for our store.

    Also, keep in mind that at most Kinko's the cashiers don't have a clue as
    to how much time you've spent on the computers or how many printouts you
    made. I do keep an eye on the color printer though, and I sometimes find
    an excuse to follow a customer to the register if they've been a dick and
    I wanna make sure they pay. Flash your 2600 badge and it's all free.

    I have found that if you remove the cable that is plugged into the back of
    the compyuter, The one that goes to the card tak, it wont charge you and
    bill it to the admin account. I have done this at least three times and it
    doesn not proint out any type of bill at the end.

    ----------------

    All,

    I went to my local Kinko's today to make some copies and they no longer
    use key counters for the copiers.. they now use smart cards... does anyone
    have any info on these types of cards and how they work... Thanks for any
    info...

    Peace,
    Twiggs
    ----------------

    Keep in mind that a good portion of the attacker community thinks that
    Internet access from there is anonimized enough to save them. Some of
    those folks will recon the environment out of habit or principle. I could
    probably spend an hour or two coming up with a profile from Web/News
    that'd be much more scary than the original posting. If I was going to do
    social engineering, or track down former or disgruntled employees, I could
    do quite a bit.

    > >Sanitizing it probably would have cost a potential attacker an additional
    > >15 minutes of Google time. Do other people in this community not
    > >regularly track folks on the Net? Anyone who thinks removing the company
    > >name would have made the hurdle that much harder doesn't understand the
    > >attacker community, and should probably go check their defenses again.
    >
    > I guess then I don't understand it. Because I don't want to give them that
    > 15 minute edge. Especially if it costs me nothing to keep quiet or ask a
    > smaller community.

    Bogon alert (;-p) You're switching between limiting distribution and
    obfuscating the company. Those are two different things. The attacker
    community is really good at figuring out these things. The social vector
    into finding out where Chuck worked wouldn't be that difficult assuming
    it's not already on the Net. When I track bad guys, I can find out a lot
    about them, and it doesn't take me more than a day or two to draw up a
    good profile. I'm not doing magic, and a lot of attackers can get
    information more easily- and once you have enough info, it's not all that
    hard to pay for the rest ($15 goes a long way these days.)

    > >Personally, I would refuse to do business with any company that allowed
    > >its infrastructure to go downhill, then blamed it on someone seeking
    > >information on how to get it changed.
    >
    > But, you know, sometimes it is the only place open late at night when you
    > need copying. :-)

    I'd still avoid it. My principles aren't driven by convenience. If you
    can't tell from the number of posts, this is one I feel strongly about.

    > >Security is *everyone in an organization's responsibility* but that means
    > >that the people in charge have to pay attention. If there's not an easy
    > >and well-known way for an organization to inform and indeed complain about
    > >it, it's STILL not the messenger's fault. Shooting the messenger ensures
    > >you get no more messages-
    >
    > I'd not shoot the messenger for noticing a problem. I'd shoot the messenger
    > for telling the world about it.

    Then you'd (a) still have the problem, and (b) have no more messengers.
    What a great plan! You could then just pretend the event never happened
    and wallow happily in the knowledge that nobody will ever talk bad about
    security again until the press finds out about a breach!

    I'd (a) shoot the architect of the major issues, and (b) shoot the person
    who's responsible for having people report these things internally.

    You'd have one more bullet left than me, but I'd have a much better handle
    on my organization's security. Then I'd assign the messenger to recommend
    cheap, easy fixes, so they can see what the message cost me- and they'd
    have to document the risks and the costs, while working with the
    replacements for the two dead folks. Making them solve security problems
    is punishment enough :)

    > >While the original message contains some embarrassing stuff, there's
    > >nothing in there that an attacker couldn't (a) easily find out and (b)
    > >publish at will.
    >
    > Bogon alert. A would-be attacker can *now* easily find out. I am not
    > convinced that is the case however. Publish at will? Sure.

    If you can't stop an attacker from publishing it, then it's not
    confidential enough to dismiss an employee over, unless there's a clear
    policy violation, and even then lack of malice would dictate education
    rather than dismissal. They could already find out. I'm half-tempted to
    go see what I can social engineer out of a local branch, but that's
    outside my ethical boundary if they're not asking for it.

    > "I'm sorry the plans on that new weapons system leaked. But, they were
    > already probably out there before I leaked them to the enemy."

    Weapons systems are classified, and you can stop third parties from
    publishing them. I watch cashiers at BestBuy type in their passwords
    all the time. People give out passwords for chocolate- it's just not
    difficult to get this level of information. It's easier when all the
    low-wage folks who's problem it isn't know it...

    I've seen much, much worse places. Generally *after* a huge compromise.
    All of those places were compromised before news of their lax security
    was public- and in the worst-compromised places, all the attackers knew
    they were weak targets.

    > I'd really encourage other people, the first day they stumble on this -- or
    > any -- list to think more before posting.

    I'm sure at this point, with all the virtual shooting going on, the
    original poster has been more than educated on "shoulda, coulda, woulda"
    stuff. I really hope he's not put off communicating with this community,
    because we already have enough communication problems without all the
    unhelpful shootings happening. If the defensive community is to have a
    hope of outdoing the attacker community, we're going to *have* to start
    sharing potentially embarrassing information. We're also going to have to
    start blaming the attackers for attacking, not people on our side.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mark Renouf: "[fw-wiz] TCP issue with PF & SACK"

    Relevant Pages

    • Re: [fw-wiz] Waning Security
      ... > about corporate security. ... how many hundreds of thousands of ex-company employees do you think are ... Any serious attacker would validate this anyway- at which point the ... in looking at the messenger, it wasn't them that made the choice. ...
      (Firewall-Wizards)
    • No Wonder RB2005 / Rb2006 Are Shit!
      ... Should a company?s policies be catered towards how the community benefits, ... is established, as well as employees, customers, etc. ... have a legal obligation to do what?s spelled out on paper. ... then why aren?t we teaching our kids that there is ...
      (comp.lang.basic.realbasic)
    • Re: Emails [SEC=UNCLASSIFIED]
      ... want its employees to access external e-mail services, ... and, I think, seriously harmful to the reputation of the community. ... Institutions with various rules shouldn't use Debian because their ... typical disclaimers are nonsensical on public lists. ...
      (Debian-User)
    • The Difference between Internal Issues & 21st Century Issues Solved with Transparency #Narcotics
      ... Security & Government Intelligence Community. ... Miltiary Employees & Contractors are trying to solve? ... & an eProgrammed Lifestyle that is essentially the ... from the Narcotics Community as it has been done for the past 20 years ...
      (uk.media.tv.misc)
    • The Difference between Internal Issues & 21st Century Issues Solved with Transparency #Narcotics
      ... Security & Government Intelligence Community. ... Miltiary Employees & Contractors are trying to solve? ... & an eProgrammed Lifestyle that is essentially the ... from the Narcotics Community as it has been done for the past 20 years ...
      (uk.politics.drugs)