Re: Enough is enough...

From: Hairy One Kenobi (abuse_at_[127.0.0.1)
Date: 09/27/05


Date: Tue, 27 Sep 2005 10:28:09 GMT


"Imhotep" <Imhotep@nospam.net> wrote in message
news:J8udnY0_w7vnO6XeRVn-uw@adelphia.com...

<snip>

> My main concern is
> this. I work in computer security and companies (American anyway) have
> always "swept" security breaches under the rug.

Uh huh. While not very useful to the security profession, it's often a
useful way to stay in business, paying peoples' wages. Not that CERT-style
disclosure-after-it's-fixed isn't a very good policy - it depends upon the
target market.

> Even when they come "clean"
> they are only admitting some but not the full extent.

I'd /love/ a specific cite on that.

> It is unfortunate
> that companies has taken this stance but, they were allowed to for so long
> that it is almost second nature. Again, my concern here is the very real
> concern that this company did not totally disclose the full extent of the
> breach....
>
> Clearly, there needs to be laws constructed where companies are forced to
> give full disclosure or be heavily penalized.

Out of interest, why the "very real" concern?

Such a sweeping statement requires an example.

OK, so there's this London-based company supplying news and fundamental
company data; it's bought by a much larger news agency back in the eighties.

At the time, they provided news services to custom DOS clients (Windows 2
was too unstable). These used a client modem to dial-up to a series of modem
banks at the main switching centre near Old Street, just north of the City.

Security was pretty good - too many failed logins caused that particular
modem (and phone number) to be suspended. And alerted the 24x7 operations
staff (in the case of one particular Kiwi, usually to be found asleep under
his desk).

If another modem in the same bank experienced a similar problem, the entire
bank (and the link to that particular London telephone exchange) was
automatically shut down, and the System Manager automatically paged.

Sounds secure, huh? Well, it wasn't secure enough - some idiot forgot to
resuspend the FIELD account after a bit of PM on one of the VAXen. Someone
got in before it was automatically resuspended (given that it wasn't a
standard password being used, you can draw our own conclusions as to how he
did it)

Ops and SysMan watched his every move (as I'm sure you're aware, that's very
easy to do on a VAX) while the police traced the call. He was unable to do
any harm - finger poised over split VT340 screen if he so much as tried to
break out of his limited-function shell - and received a knock on his door
from the Met for his troubles (not the DEC engineer, I hasten to add).

Company policy meant that this site was forever considered to be vulnerable.

The result was that staff at the building were forever forbidden from having
a pass that let them into the main development centre down the road (I had
to sign-in as a visitor just to see my boss..).

Another result was that - despite the fact that the main data links went
through that very building, and could be cut by flipping a circuit breaker -
staff working there were forbidden from accessing any production or test
machine, under any circumstances (generally a good rule, until you hit that
inevitable System Down or DR hiccough).

Ironically, the actual response and security levels were deemed to be fine -
although Ops were transferred to the company's main centre in Docklands
(where they lost the expertise of /our/ Ops and generally annoyed customers
with slow, if methodical, responses to problems).

So, let's see. The benefits of disclosure were.. more difficult working
practises for staff, reduced skill spotting emerging problems, and worsened
customer response.

In some respects, this is probably a bad example - given that it was a
simple read-only service, customers wouldn't actually given a hoot. Billing
was handled separately.

OTOH, the main company would have had the underpinnings of its nineties
strategy kicked from under it - what customer is going to be discriminating
enough to tell the difference between an isolated dial-up service hosted by
a subsidiary, and a direct IP link to a (wholly separate) worldwide network?
Result: millions flushed down the loo, and hundreds of techies laid-off.

(As it happens, that ever-so-slightly dodgy policy of connecting a series of
Extranets without firewalls *did* lead to a breach in Hong Kong, about 8
years later. Inside job, and widely reported)

-- 
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


Relevant Pages

  • Re: To which degree can we trust trust centres?
    ... I like to say that IMHO the trustworthiness of a CA (and hence the ... security of its customers) depends on two factors: ... That the staff of the CA works conscientiously and correctly ...
    (comp.security.misc)
  • Re: An unusual dinnertime
    ... not in earnest because we were all, staff and customers, left to get on with what we were doing. ... It is in the McArthur Glen outlet, and several years ago this same M and S was gutted by fire and a couple of shops either side. ... we went to to door and said to the security man there stopping people coming in 'what about these. ...
    (uk.people.silversurfers)
  • Re: TK-Maxx
    ... Perhaps TK Maxx should take security a lot more seriously instead of giving ... I always wondered what the member of staff was doing, standing by the door, ... now I know she was giving away customers' data by the million. ...
    (uk.media.tv.misc)
  • Re: [fw-wiz] Security dumming down - the kings clothes
    ... these networks we have: "it's a trifle chaotic out there". ... responsible for the security portion of this overall process our ... me that our greatest weakness as an industry is not that our customers are ... >>marketing or rhetoric PhD. ...
    (Firewall-Wizards)
  • Re: How do you monetize your skills?
    ... organizations that were dedicate on only the Information Security ... In sales you'll learn that customers that "want" your product/service ... market customer to reach in all of marketing/advertising. ...
    (Pen-Test)