Re: Zonealarm / Email
From: Volker Birk (bumens_at_dingens.org)
Date: 10/07/05
- Next message: Volker Birk: "Re: Zebedee setup through a firewall"
- Previous message: Ben: "Re: Netscreen ScreenOS"
- In reply to: Quaestor: "Re: Zonealarm / Email"
- Next in thread: E.: "Re: Zonealarm / Email"
- Reply: E.: "Re: Zonealarm / Email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 7 Oct 2005 08:04:19 +0200
Quaestor <no-spam@my.place> wrote:
> A proper firewall is exactly that, it stops everything.
One of the big parcel services in Germany asked me to check their firewall
system. They just bought some FW1 on Slowlaris to secure their data center,
having a budget of 500k EUR for all that stuff. All was ready made and
installed.
They wanted me to do a penetration test on it; I should write an attestation.
I asked for a date with the head of security there before starting.
I arrived by train, and moved on to my detination by taxi. I called the
taxi driver to drive directly next to the small house of the watchman.
I had my hat on, and a big muffler around my neck. Being asked, I mumbled
my name. He created a visitor's ID card for me with the name "Brix".
They were not checking, if the visitors are invited or not who are
requesting a passport.
I went to the main building. Behind the glass door on the right hand side,
I saw some people already waiting at the reception. I was lucky, some extra
people even were joining, and with somebody who came out of the door, I
entered. I went left.
They were not checking, if visitors have a passport, at least not, if there
are already too many people at the reception.
I searched for an open door of one of the offices. I was lucky, and found
one without other people in it. And there was a Windows PC with a CDROM in
it, connected to the network and even somebody logged in without
screensaver password. Good Kevin, this is an easy game to play ;-)
Then I went to the reception and registered with my real name.
In the meeting, I first explained what I did exactly. Then I asked, how
many security is between this Windows PC and the Slowlaris servers. The
answer was "nothing". I asked, how are the servers secured. I got the
answer, that the servers are Slowlaris installed out of the box.
And I got a question, too. The head of security there asked me "what would
have been the worst thing, which could have happened"? I answered with a
counter question: "What would happen, if I would have had a prepared CD
with me, cracked your Slowlaris of your backup system, and exchanged the
driver for the tape which is used for the backup to one, which is using
hard encryption on the backups, and after six months, is deleting all data
on the hard disks together with the key for the tapes?"
He told me "you can do this after two weeks and we're done; we would not
know about one single parcel any more".
Yours,
VB.
-- If class libraries are compared to animals, MFC is the slime-warts toad.
- Next message: Volker Birk: "Re: Zebedee setup through a firewall"
- Previous message: Ben: "Re: Netscreen ScreenOS"
- In reply to: Quaestor: "Re: Zonealarm / Email"
- Next in thread: E.: "Re: Zonealarm / Email"
- Reply: E.: "Re: Zonealarm / Email"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
