RE: Software vendor clueless

From: Kirt Cathey (kirt_at_futamatagawa.net)
Date: 08/16/03

  • Next message: Jeff Peterson: "RE: Software vendor clueless"
    To: "Jeff Peterson" <jpeterson@btiis.net>, <incidents@securityfocus.com>
    Date: Sun, 17 Aug 2003 06:26:07 +0900
    
    

    Been there.

    Here is the approach....

    Be open, candid, and absolutely non-confrontational (the last one is hard
    when you know the security issues are sometimes grave).
    Also, try to have the client present when you explain these items.

    Explain:
    1) That the clients setup is very insecure for the following reasons
            a) The admin password is too short
            b) The admin password does not contain special characters
            c) The admin password should be changed regularly

    2) The current information security environment. VIGILANCE IS NO LONGER AN
    OPTION.

    3) Explain that the system involved is a client of both. Then explain that
    the client's information
            security/safety should come first.

    4) Recap on #1. Highlight on #2 and repeat #3 until you make your point and
    can move on.

    5) Candidly explain to the vendor that if a serious security incident should
    occur, and the weak
            password was the root cause, that the vendor could be held legally liable.

    6) Explain to the customer that if privacy and financial information should
    leak, the client could
            be held legally liable.

    7) Explain to both that a security 'incident' has already occured. Repeat #5
    and #6 until you have made your point.

    8) Then close the meeting with a remediation timeline. (This is the goal of
    the meeting!)

    Good Luck!

    /***************************************
    Kirt S. Cathey, CIA, CISA, CISSP, MCSE
    PricewaterhouseCoopers - Tokyo, Japan
    Intrusion Detection, Forensics, and Audit
    080-3388-6798
    www.systemsrisk.com
    PGP: http://www.systemsrisk.com/pgp.txt
    ***************************************/

    -----Original Message-----
    From: Jeff Peterson [mailto:jpeterson@btiis.net]
    Sent: Sunday, August 17, 2003 4:32 AM
    To: incidents@securityfocus.com
    Subject: Software vendor clueless

    All,

    I have a customer whose company does legal work for lots of businesses.
    The data housed on their network is what I would call 'financially
    sensitive'. Recently, I found their Exchange server had been turned into
    an open relay. It was not that way a month ago.Once I stopped the
    bleeding, I told them I wanted to change the Administrator password,
    (NT4.0, Exch5.5. I know, I know). They told me they were not allowed to
    change the password. "Sez WHO", I asked. "Our software vendor", they
    replied. Turns out the vendor in question has a niche market in this
    kind of legal field. Also turns out they use the same 4-letter, (no
    caps, no special chars), administrator password on ALL their customers
    networks. To make matters worse, they have PCAnyWhere ports open on all
    these networks, because their software is so buggy, the developers need
    to remote in and fix things all the time. The spokesman for the group
    claims that the AT&T managed firewall prevents anyone else from using the
    PCNoWhere ports by IP address.

    I'm not a great negotiator, and I'm going to face the SW spokesman next
    week. He is a good spin doctor. I'm looking for help in making him
    secure his stuff. All help is appreciated.

    Jeff Peterson
    BTIIS

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: Jeff Peterson: "RE: Software vendor clueless"

    Relevant Pages

    • RE: Software vendor clueless
      ... Additionally if the site has a security policy/standards that require ... >these networks, because their software is so buggy, the developers need ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: is this the start of something naughty?
      ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ... - Precisely Define and Implement Network Security and Performance Policies ...
      (Incidents)
    • IFIP NTMS2012 - Deadline Extended to 12 January 2012
      ... New Technologies, Mobility and Security ... NTMS'2012 is the Fifth International Conference on New Technologies, ... Wireless Networks, Mobile Computing, Ad hoc and Ambient Networks, QoS, ...
      (Bugtraq)
    • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
      ... Subject: RE: MS SQL WORM IS DESTROYING INTERNET ... Perhaps some of the .edu admins need to ... >basic network design concepts and security. ... But the admins whose networks got hit *still* didn't ...
      (Full-Disclosure)
    • [NTMS 2012] Call for Papers, Istanbul- Turkey, 7 - 10 May 2012
      ... New Technologies, Mobility and Security ... NTMS'2012 is the Fifth International Conference on New Technologies, ... Wireless Networks, Mobile Computing, Ad hoc and Ambient Networks, QoS, ...
      (Bugtraq)