RE: How hackers cause damage...

["Craig Wright" <cwright () bdosyd com au>]

In reply to Ansgar Wiechers
> > How do you propose to fix vendor issues.
> Sue them. After all you paid them money.

So in cases where life has been lost, it is ok as long as there is
remedy in tort? The life is less important that the monetary cost?

> > Frame relay that is not locked down. The hospital may pay for the
> > service and still be connected.

> So? Any connection can be secured. Lack of skills is no excuse
whatsoever as there are
> skilled people out there who can be hired.

> In those cases relevant to the discussed topic, a dialup connection
usually connects
> the computer to the user's ISP

What world do you live in Ansgar? I am involved with over 200 audits
(note audit and NOT just pen test) yearly. From this 3 clients have
modem connections to an ISP. All have modem connections - every single
one! Some are installed by vendors. Over 30% are unknown by the client
and vendors OFTEN do this without authorisation. Some are dial in RAS
servers others are dial out only. In some cases they are PBX based - the
list goes on. PS - out of all these modems maybe one in 1,000 would be
detected by ANY Pen. Test and they are the least likely to cause real
concern.

PBX and phone systems are PUBLIC networks. Most "private networks" are
PUBLIC Networks. Have a look at the carrier contract for that private
fibre link between offices - chances are that it has a clause stating
that management of the systems may be done over the channel best suited
to the vendor as defined in the schedule. The schedule document will
than list the internet as an agreed path. I have reviewed numerous
contracts and I am yet to find a single one that does not have a
backdoor internet clause.

> So? Any connection can be secured. Lack of skills is no excuse
whatsoever as there are
> skilled people out there who can be hired.

Do you have the faintest idea of Risk. The cost of security is inverse
to the amount of security. You want 100% security you pay more than the
cost of the item to be secured. I suggest that you get a little training
on risk. Learn that there are financial costs to security.

To other matters;
First there are NOT enough skilled people to fix and secure all issues.
Next the majority of the Internet backbone is currently vulnerable as it
exists today. We are just in the process of completing a Critical
Network Vulnerability Assessment project here in Australia and you may
be interested to know that we failed to find more than 10% of the
routers including backbone ones with the required firmware versions
nationally.

Over 80% of "secured" VPN routers that service "private" VPN's have
access from the Internet. Over half the DNS servers are vulnerable to
root compromise (including one hint server). These are just the tip of
the iceberg. I would estimate that there are over 500,000 network
devices and servers here in Australia alone that have a direct effect to
critical infrastructure that are vulnerable to attack and at high risk.

I am not stating this is good nor than action should not be done - but
have a clue. Insecurity is systemic on the Internet and most other
networks.

The report will be public in a few months. I am sure that the Attorney
General will get as much mileage as they can from it.

The really amazing thing is that when we get up in the morning things
still work.

Regards,
Craig

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------