Security Basics mailing list archives
RE: How hackers cause damage...
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 3 Mar 2006 08:12:59 +1100
In reply to Ansgar Wiechers
How do you propose to fix vendor issues.Sue them. After all you paid them money.
So in cases where life has been lost, it is ok as long as there is remedy in tort? The life is less important that the monetary cost?
Frame relay that is not locked down. The hospital may pay for the service and still be connected.
So? Any connection can be secured. Lack of skills is no excuse
whatsoever as there are
skilled people out there who can be hired.
In those cases relevant to the discussed topic, a dialup connection
usually connects
the computer to the user's ISP
What world do you live in Ansgar? I am involved with over 200 audits (note audit and NOT just pen test) yearly. From this 3 clients have modem connections to an ISP. All have modem connections - every single one! Some are installed by vendors. Over 30% are unknown by the client and vendors OFTEN do this without authorisation. Some are dial in RAS servers others are dial out only. In some cases they are PBX based - the list goes on. PS - out of all these modems maybe one in 1,000 would be detected by ANY Pen. Test and they are the least likely to cause real concern. PBX and phone systems are PUBLIC networks. Most "private networks" are PUBLIC Networks. Have a look at the carrier contract for that private fibre link between offices - chances are that it has a clause stating that management of the systems may be done over the channel best suited to the vendor as defined in the schedule. The schedule document will than list the internet as an agreed path. I have reviewed numerous contracts and I am yet to find a single one that does not have a backdoor internet clause.
So? Any connection can be secured. Lack of skills is no excuse
whatsoever as there are
skilled people out there who can be hired.
Do you have the faintest idea of Risk. The cost of security is inverse to the amount of security. You want 100% security you pay more than the cost of the item to be secured. I suggest that you get a little training on risk. Learn that there are financial costs to security. To other matters; First there are NOT enough skilled people to fix and secure all issues. Next the majority of the Internet backbone is currently vulnerable as it exists today. We are just in the process of completing a Critical Network Vulnerability Assessment project here in Australia and you may be interested to know that we failed to find more than 10% of the routers including backbone ones with the required firmware versions nationally. Over 80% of "secured" VPN routers that service "private" VPN's have access from the Internet. Over half the DNS servers are vulnerable to root compromise (including one hint server). These are just the tip of the iceberg. I would estimate that there are over 500,000 network devices and servers here in Australia alone that have a direct effect to critical infrastructure that are vulnerable to attack and at high risk. I am not stating this is good nor than action should not be done - but have a clue. Insecurity is systemic on the Internet and most other networks. The report will be public in a few months. I am sure that the Attorney General will get as much mileage as they can from it. The really amazing thing is that when we get up in the morning things still work. Regards, Craig Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: How hackers cause damage... Craig Wright (Mar 03)
- Re: How hackers cause damage... Ansgar -59cobalt- Wiechers (Mar 03)
- <Possible follow-ups>
- RE: How hackers cause damage... Craig Wright (Mar 03)
- RE: How hackers cause damage... Craig Wright (Mar 06)