Re: got me thinking.From: Meritt James (firstname.lastname@example.org)
- Previous message: Security: "Windows 2000"
- In reply to: Keith.Morgan: "RE: got me thinking."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B6ACDA3.F497FA5E@bah.com> Date: Fri, 03 Aug 2001 12:13:23 -0400 From: "Meritt James" <email@example.com> To: "Keith.Morgan" <Keith.Morgan@Terradon.com> Subject: Re: got me thinking.
Assume that "any other open resource" includes such things as
publically-available nameserver/registration data (fascinating stuff
there, isn't it?) phone directories, and other fun stuff!
> Absolutely. When doing penetration testing, the web, newsgroups, mailing
> lists, and any other open resource is the first place I look. Lots of
> information could be gathered on what we run and how via this list archive.
> However, most of the information I've released via lists, could be gathered
> via a quick scan of our systems anyways. What this means, is, as a result
> of my disclosure, an attacker might not have to run an os-fingerprinting
> scan, or pluck at my firewalls to figure out what I'm running. This could
> take a step or two out of his approach, and make it more difficult for me to
> catch him in the act. However, I've weighed this against the value of
> posting information to the list, and for me, it's been an acceptable risk.
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> 304-755-8291 x142
> > -----Original Message-----
> > From: Pacifier [SMTP:firstname.lastname@example.org]
> > Sent: Monday, July 30, 2001 9:01 AM
> > To: Security Basics (E-mail)
> > Subject: got me thinking.
> > I came accross an article on the internet about how list archives can be
> > detrimental to your company's security.
> > It's at http://evablunted.nav.to/security/maillist.html
> > What are your thoughts on this?
> > Pacifier
> > Network Admin
> > CISSP wannabe
-- James W. Meritt, CISSP, CISA Booz, Allen & Hamilton phone: (410) 684-6566