RE: Software vendor clueless

• Previous message: Kirt Cathey: "RE: Software vendor clueless"
• Maybe in reply to: Jeff Peterson: "Software vendor clueless"
• Next in thread: Harlan Carvey: "Re: Software vendor clueless"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Kirt Cathey' <kirt@futamatagawa.net>, Jeff Peterson <jpeterson@btiis.net>, incidents@securityfocus.com
Date: Sat, 16 Aug 2003 17:00:30 -0700

Thank you, Kirt. Very clear. I will take your advice.

-----Original Message-----
From: Kirt Cathey [mailto:kirt@futamatagawa.net]
Sent: Saturday, August 16, 2003 2:26 PM
To: Jeff Peterson; incidents@securityfocus.com
Subject: RE: Software vendor clueless

Been there.

Here is the approach....

Be open, candid, and absolutely non-confrontational (the last one is hard
when you know the security issues are sometimes grave).
Also, try to have the client present when you explain these items.

Explain:
1) That the clients setup is very insecure for the following reasons
        a) The admin password is too short
        b) The admin password does not contain special characters
        c) The admin password should be changed regularly

2) The current information security environment. VIGILANCE IS NO LONGER AN
OPTION.

3) Explain that the system involved is a client of both. Then explain that
the client's information
        security/safety should come first.

4) Recap on #1. Highlight on #2 and repeat #3 until you make your point and
can move on.

5) Candidly explain to the vendor that if a serious security incident should
occur, and the weak
        password was the root cause, that the vendor could be held legally
liable.

6) Explain to the customer that if privacy and financial information should
leak, the client could
        be held legally liable.

7) Explain to both that a security 'incident' has already occured. Repeat #5
and #6 until you have made your point.

8) Then close the meeting with a remediation timeline. (This is the goal of
the meeting!)

Good Luck!

/***************************************
Kirt S. Cathey, CIA, CISA, CISSP, MCSE
PricewaterhouseCoopers - Tokyo, Japan
Intrusion Detection, Forensics, and Audit
080-3388-6798
www.systemsrisk.com
PGP: http://www.systemsrisk.com/pgp.txt
***************************************/

-----Original Message-----
From: Jeff Peterson [mailto:jpeterson@btiis.net]
Sent: Sunday, August 17, 2003 4:32 AM
To: incidents@securityfocus.com
Subject: Software vendor clueless

All,

I have a customer whose company does legal work for lots of businesses.
The data housed on their network is what I would call 'financially
sensitive'. Recently, I found their Exchange server had been turned into
an open relay. It was not that way a month ago.Once I stopped the
bleeding, I told them I wanted to change the Administrator password,
(NT4.0, Exch5.5. I know, I know). They told me they were not allowed to
change the password. "Sez WHO", I asked. "Our software vendor", they
replied. Turns out the vendor in question has a niche market in this
kind of legal field. Also turns out they use the same 4-letter, (no
caps, no special chars), administrator password on ALL their customers
networks. To make matters worse, they have PCAnyWhere ports open on all
these networks, because their software is so buggy, the developers need
to remote in and fix things all the time. The spokesman for the group
claims that the AT&T managed firewall prevents anyone else from using the
PCNoWhere ports by IP address.

I'm not a great negotiator, and I'm going to face the SW spokesman next
week. He is a good spin doctor. I'm looking for help in making him
secure his stuff. All help is appreciated.

Jeff Peterson
BTIIS

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

• Previous message: Kirt Cathey: "RE: Software vendor clueless"
• Maybe in reply to: Jeff Peterson: "Software vendor clueless"
• Next in thread: Harlan Carvey: "Re: Software vendor clueless"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]