Re: Enough is enough...

From: Hairy One Kenobi (abuse_at_[
Date: 09/27/05

Date: Tue, 27 Sep 2005 10:28:09 GMT

"Imhotep" <> wrote in message


> My main concern is
> this. I work in computer security and companies (American anyway) have
> always "swept" security breaches under the rug.

Uh huh. While not very useful to the security profession, it's often a
useful way to stay in business, paying peoples' wages. Not that CERT-style
disclosure-after-it's-fixed isn't a very good policy - it depends upon the
target market.

> Even when they come "clean"
> they are only admitting some but not the full extent.

I'd /love/ a specific cite on that.

> It is unfortunate
> that companies has taken this stance but, they were allowed to for so long
> that it is almost second nature. Again, my concern here is the very real
> concern that this company did not totally disclose the full extent of the
> breach....
> Clearly, there needs to be laws constructed where companies are forced to
> give full disclosure or be heavily penalized.

Out of interest, why the "very real" concern?

Such a sweeping statement requires an example.

OK, so there's this London-based company supplying news and fundamental
company data; it's bought by a much larger news agency back in the eighties.

At the time, they provided news services to custom DOS clients (Windows 2
was too unstable). These used a client modem to dial-up to a series of modem
banks at the main switching centre near Old Street, just north of the City.

Security was pretty good - too many failed logins caused that particular
modem (and phone number) to be suspended. And alerted the 24x7 operations
staff (in the case of one particular Kiwi, usually to be found asleep under
his desk).

If another modem in the same bank experienced a similar problem, the entire
bank (and the link to that particular London telephone exchange) was
automatically shut down, and the System Manager automatically paged.

Sounds secure, huh? Well, it wasn't secure enough - some idiot forgot to
resuspend the FIELD account after a bit of PM on one of the VAXen. Someone
got in before it was automatically resuspended (given that it wasn't a
standard password being used, you can draw our own conclusions as to how he
did it)

Ops and SysMan watched his every move (as I'm sure you're aware, that's very
easy to do on a VAX) while the police traced the call. He was unable to do
any harm - finger poised over split VT340 screen if he so much as tried to
break out of his limited-function shell - and received a knock on his door
from the Met for his troubles (not the DEC engineer, I hasten to add).

Company policy meant that this site was forever considered to be vulnerable.

The result was that staff at the building were forever forbidden from having
a pass that let them into the main development centre down the road (I had
to sign-in as a visitor just to see my boss..).

Another result was that - despite the fact that the main data links went
through that very building, and could be cut by flipping a circuit breaker -
staff working there were forbidden from accessing any production or test
machine, under any circumstances (generally a good rule, until you hit that
inevitable System Down or DR hiccough).

Ironically, the actual response and security levels were deemed to be fine -
although Ops were transferred to the company's main centre in Docklands
(where they lost the expertise of /our/ Ops and generally annoyed customers
with slow, if methodical, responses to problems).

So, let's see. The benefits of disclosure were.. more difficult working
practises for staff, reduced skill spotting emerging problems, and worsened
customer response.

In some respects, this is probably a bad example - given that it was a
simple read-only service, customers wouldn't actually given a hoot. Billing
was handled separately.

OTOH, the main company would have had the underpinnings of its nineties
strategy kicked from under it - what customer is going to be discriminating
enough to tell the difference between an isolated dial-up service hosted by
a subsidiary, and a direct IP link to a (wholly separate) worldwide network?
Result: millions flushed down the loo, and hundreds of techies laid-off.

(As it happens, that ever-so-slightly dodgy policy of connecting a series of
Extranets without firewalls *did* lead to a breach in Hong Kong, about 8
years later. Inside job, and widely reported)

Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!