Re[4]: [Full-Disclosure] Response to comments on Security and Obscurity

• Previous message: yaakov yehudi: "RE: [Full-Disclosure] Response to comments on Security and Obscurity"
• In reply to: James Tucker: "Re: Re[2]: [Full-Disclosure] Response to comments on Security and Obscurity"
• Next in thread: James Tucker: "Re: Re[4]: [Full-Disclosure] Response to comments on Security and Obscurity"
• Reply: James Tucker: "Re: Re[4]: [Full-Disclosure] Response to comments on Security and Obscurity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: James Tucker <jftucker@gmail.com>
Date: Thu, 2 Sep 2004 13:13:29 +0400

Dear James Tucker,

--Thursday, September 2, 2004, 12:05:21 AM, you wrote to 3apa3a@security.nnov.ru:

JT> Further on the physical to information systems comparison, how do you
JT> exploit a computer in russia from a computer in new york if there is
JT> no physical data path between them? (The answer is directed

You may be really good specialist in IT security familiar with every
law, article and recommendation, but to make any real example for
informational security problems you MUST understand difference between
cracks, exploits, virii and backdoors you do not currently understand.

OK, I will exploit computer in Russia by first researching open
materials (for example conferences participants lists), finding
appropriate persons with interests in required fields who potentially
may have access to required network and trying to contact them. After
researching I will either try to attack their home computers (because
it's very common case really secret materials are kept in home PCs or
notebooks almost unprotected) or simply hire them (money, blackmail,
etc). For attack I will most probably use client application (browser,
mail reader, etc). Of cause my potential and knowledges for second case
are very limited :)

JT> would "impose upon business impressions". The CEO is a dear chap who
JT> forgets to lock his workstation when he goes to lunch. Where did all
JT> that hard effort of virtual security go? This is not an uncommon
JT> scenario. The stronger audits in the world fail you for this kind of
JT> possibility; again count yourself lucky in this regard.

Even more. This is very common scenario and this scenario must be
covered by security policy. You either unfamiliar with this problem our
your information is out of date.

  Simple, but unreliable protection for this problem is implementing
policy for automatic workstation lockout (well, in my network with very
low security requirements I use this kind of protection). Reliable
solutions are: use same cart for access both terminal and room (Sun
likes this kind of solutions - terminal locks automatically if smartcard
is removed) or to use event correlation (it's currently a part of
Security Information Management Systems). If event "user leaves the
room" comes without first "user logs off" or "user locks workstation"
either user access out of room is blocked or user's workstation is shut
down remotely.

Of cause, I understand you're trying to catch me on the fact
informational security is impossible without physical one. Currently
information security and physical security go together so close, that
border is very unclear. But you're going aside from initial problem:
examples and analogies from IT in your article are dummy.

-- 
~/ZARAZA
Почтенные ископаемые! Жду от вас дальнейших писем.  (Твен)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: yaakov yehudi: "RE: [Full-Disclosure] Response to comments on Security and Obscurity"
• In reply to: James Tucker: "Re: Re[2]: [Full-Disclosure] Response to comments on Security and Obscurity"
• Next in thread: James Tucker: "Re: Re[4]: [Full-Disclosure] Response to comments on Security and Obscurity"
• Reply: James Tucker: "Re: Re[4]: [Full-Disclosure] Response to comments on Security and Obscurity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]