RE: [Full-Disclosure] Name One Web Site Compromised by Download.Ject?

From: joe (mvp_at_joeware.net)
Date: 07/03/04

  • Next message: J.A. Terranson: "Re: [Full-Disclosure] Successful in blocking all known exploits" 
    To: <full-disclosure@lists.netsys.com>
Date: Sat, 3 Jul 2004 11:45:12 -0400

    Interesting post, thanks.

    Couple of notes:

    1. Your point (a) I completely agree with. Both because they don't want to
    become a bigger target to hackers but also because there is a possibility of
    opening them up to litigation for not properly maintaining their systems.
    The last weighs more heavily on the minds of IT Directors and CIO's of large
    companies than the former in my experience dealing with those people. Many
    of them don't even want outside people knowing they hire external people to
    look at their security and have clauses in the contracts indicating what can
    and can't be disclosed or in many cases if you can even list them as ever
    being a client. It sounds like you have encountered similar.

    2. Your point (b) could be correct, but more often I think it would be more
    an issue of incomplete or incorrect configuration. Generally configured in
    the way it is configured either because that is the way it was always done
    or there is no time for the people who understand security to work on it
    because they are dragged into stupid meetings about inane things.

    3. Your point (c) can be EXTREMELY correct. As anyone who has consulted for
    or worked in a large company (say > 5 or 10 thousand employees) knows that
    these large companies can be a haven for the sludge though small companies
    can get it too. While working onsite at a Global 5 company we figured that
    maybe 1-2% of the IT folks seemed to actually be getting things done. The
    other 98-99% were there slowing things down unnecessarily and making life
    more difficult and could most likely, if the first 1-2% had time, be
    replaced by intelligent automated systems. It is tougher for the boneheads
    to hide in smaller environments unless there is no one else who knows better
    in the company or organization or if the management is where the boneheads
    are.

    I had a small gig I took care of last week. It was maybe 500 desktops (mixed
    Windows, MAC, Linux), tiny installed base basically. Walked in and the
    configuration was IT Director with a few analysts reporting through CFO.
    This is actually pretty common configuration. It tends to be bad for
    security though. I knew most of what I needed to know about the company
    sitting in a chair out in a hall way in front of the company suite as they
    had wireless including the CIOs home phone, cell phone, address, and
    daughter's address/phone at University. Long story short, realized that
    there wasn't a whole lot I could do for them through the IT Director nor CFO
    so chatted with the CEO. Told him that it was bad to have IT report through
    Finance even though it was common. Said he should interview his IT Director
    and find out what he considered his highest 2-3 priorities. If Security
    wasn't there he should probably be removed. Also indicated that they needed
    to yank IT out from under Finance and there should be a CIO so IT had a true
    voice seeing how critical the computing environment was to this company
    (couldn't do business without it anymore as many companies have). CEO
    interviewed the director, guess what the highest priority had to do with?
    Surprise... Budget. After that was variations of keeping users happy or ways
    to stick to budget.
     

    4. Your point (d) I believe less in. A lot of the issue is what is pointed
    out in 3. The people who actually can figure things out are so bogged down
    in stupid things or under stupid management they don't have the time to put
    into the important things. The 17 year old hackers have all of the time in
    the world to bump against wheatever they choose. Your paren'ed statement
    nails it perfectly. The number of meetings that were dragged out to a full
    one-two hours by the evil 98-99% instead of being 5 minutes long as they
    should be approachs 100% of the meetings in the larger companies. Of course
    you still have the management issue as well. You could have the best admin
    in the world, if the management doesn't believe in what he/she wasn't to
    accomplish, too bad for that admin. Had one company I helped out a few years
    ago where the admin was pushing for a firewall for months. Again this
    company was an IT under finance company. Couldn't get a firewall because the
    CFO didn't feel it was a good budget expenditure. I sent him a couple of his
    own files that he really didn't want anyone seeing - from his own account
    from home. They had money for a firewall in short order.

    Overall though, I agree that most companies do not want their underwear
    being exposed. I am not so sure that full disclosure should extend to
    publishing who has been compromised, I don't honestly see it being much
    value other than to quell the "right to know" crazies. Consider your home,
    someone figures out you leave your door unlocked? Do you want them to tell
    the neighborhood or tell you? If you get burgled for it do you want the cops
    telling the neighborhood you are an idiot and did that? Sure it might help
    some people comply to security for fear of embarassment but I don't see that
    as a viable solution long term. It doesn't work, look around.

      joe

     

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Gregory A.
    Gilliss
    Sent: Wednesday, June 30, 2004 3:31 PM
    To: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Name One Web Site Compromised by
    Download.Ject?

    Oh the naivete ...

    Regardless of the fact that this is full disclosure, does anyone really
    think that any medium to large business concern wants to make public the
    fact that their IT infrastructure is vulnerable? Especially in the Fascist
    Utopia that we call America? Pu-LEEZ!

    The reason that you have not seen anything is because no one wants to admit
    that (a) they are vulnerable, (b) their equipment sucks, (c) they employ
    idiots, (d) seventeen year old hackers are more intelligent/ diligent/
    persistent than their US$100,000+ per year IT guru (who's currently in a
    meeting...please leave a detailed message).

    As a normal part of any security audit that I perform, I provide the client
    with a contract that explicitly states that I will not, under penalty of
    law, divulge the identity of the client to anyone (except maybe the DoJ if
    they come after me). Companies (infallible as they are) have no desire to
    publicize their shortcomings. The lack of news regarding victims of this
    huge gaping hole (HGH) is no conspiracy or coverup. It's called "standard
    operating procedure". If you ever get a job in a corporation, you will
    become familiar with it.
    Acadamicians aren't supposed to practice information hiding. However I
    wonder whether your search would uncover any academic institutions that have
    suffered a similar fate?

    BTW, I don't necessarily advocate the silence; I merely understand it.

    G

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: J.A. Terranson: "Re: [Full-Disclosure] Successful in blocking all known exploits"

    Relevant Pages