Re: got me thinking.

From: Meritt James (meritt_james@bah.com)
Date: 08/03/01


Message-ID: <3B6ACDA3.F497FA5E@bah.com>
Date: Fri, 03 Aug 2001 12:13:23 -0400
From: "Meritt James" <meritt_james@bah.com>
To: "Keith.Morgan" <Keith.Morgan@Terradon.com>
Subject: Re: got me thinking.

Assume that "any other open resource" includes such things as
publically-available nameserver/registration data (fascinating stuff
there, isn't it?) phone directories, and other fun stuff!

"Keith.Morgan" wrote:
>
> Absolutely. When doing penetration testing, the web, newsgroups, mailing
> lists, and any other open resource is the first place I look. Lots of
> information could be gathered on what we run and how via this list archive.
> However, most of the information I've released via lists, could be gathered
> via a quick scan of our systems anyways. What this means, is, as a result
> of my disclosure, an attacker might not have to run an os-fingerprinting
> scan, or pluck at my firewalls to figure out what I'm running. This could
> take a step or two out of his approach, and make it more difficult for me to
> catch him in the act. However, I've weighed this against the value of
> posting information to the list, and for me, it's been an acceptable risk.
>
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> keith.morgan@terradon.com
> 304-755-8291 x142
>
> > -----Original Message-----
> > From: Pacifier [SMTP:evablunted@freemail.absa.co.za]
> > Sent: Monday, July 30, 2001 9:01 AM
> > To: Security Basics (E-mail)
> > Subject: got me thinking.
> >
> > I came accross an article on the internet about how list archives can be
> > detrimental to your company's security.
> >
> > It's at http://evablunted.nav.to/security/maillist.html
> >
> > What are your thoughts on this?
> >
> > Pacifier
> > Network Admin
> > CISSP wannabe

-- 
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566