Re: got me thinking.

From: Meritt James (meritt_james@bah.com)
Date: 08/03/01


Message-ID: <3B6ACDA3.F497FA5E@bah.com>
Date: Fri, 03 Aug 2001 12:13:23 -0400
From: "Meritt James" <meritt_james@bah.com>
To: "Keith.Morgan" <Keith.Morgan@Terradon.com>
Subject: Re: got me thinking.

Assume that "any other open resource" includes such things as
publically-available nameserver/registration data (fascinating stuff
there, isn't it?) phone directories, and other fun stuff!

"Keith.Morgan" wrote:
>
> Absolutely. When doing penetration testing, the web, newsgroups, mailing
> lists, and any other open resource is the first place I look. Lots of
> information could be gathered on what we run and how via this list archive.
> However, most of the information I've released via lists, could be gathered
> via a quick scan of our systems anyways. What this means, is, as a result
> of my disclosure, an attacker might not have to run an os-fingerprinting
> scan, or pluck at my firewalls to figure out what I'm running. This could
> take a step or two out of his approach, and make it more difficult for me to
> catch him in the act. However, I've weighed this against the value of
> posting information to the list, and for me, it's been an acceptable risk.
>
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> keith.morgan@terradon.com
> 304-755-8291 x142
>
> > -----Original Message-----
> > From: Pacifier [SMTP:evablunted@freemail.absa.co.za]
> > Sent: Monday, July 30, 2001 9:01 AM
> > To: Security Basics (E-mail)
> > Subject: got me thinking.
> >
> > I came accross an article on the internet about how list archives can be
> > detrimental to your company's security.
> >
> > It's at http://evablunted.nav.to/security/maillist.html
> >
> > What are your thoughts on this?
> >
> > Pacifier
> > Network Admin
> > CISSP wannabe

-- 
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566



Relevant Pages

  • REVIEW: "Enterprise Information Security", Peter Gregory
    ... executives up to the importance of security. ... The section on hacking lists a variety of attacks (heavy ... sufficient to repudiate a digital signature, ...
    (comp.security.misc)
  • Re: [Full-disclosure] Call for moderation
    ... Moderating lists tends to slow things down but I have seen other security ... related lists begin to get out of hand and moderation was enforced. ... Information Security Specialist ... University of Pennsylvania Information Security ...
    (Full-Disclosure)
  • Re: Help and assistance to find someone in the UK
    ... out where she and her husband are via phone directories or polling ... Or suggest online methods that might tell me how to find these ...
    (soc.genealogy.britain)
  • RE: got me thinking.
    ... When doing penetration testing, the web, newsgroups, mailing ... and any other open resource is the first place I look. ... However, most of the information I've released via lists, could be gathered ... > I came accross an article on the internet about how list archives can be ...
    (Security-Basics)
  • Re: Help and assistance to find someone in the UK
    ... out where she and her husband are via phone directories or polling ... Or suggest online methods that might tell me how to find these ...
    (soc.genealogy.britain)