Firewall Wizards mailing list archives

Re: Kinko's Waning Security

From: "S. Jonah Pressman" <jpressman () sympatico ca>
Date: Thu, 22 Apr 2004 12:21:54 -0400

Chuck, you make excellent points and seem to be extremely passionateabout corporate security. Your methodology of airing corporate dirtylaundry in public leaves a lot to be desired. In fact, you've justsingle-handedly issued an invitation to "black-hats" to sample thefruits inside your corporate walls. If I were your manager, I'dintroduce you to the corporate legal counsel ans then escort you to thedoor.

I am surprised that your note was posted by the moderator. Frankly, itshould have been sent back to you with the suggestion to sanitize itbefore resubmission.


SJP

Paul D. Robertson wrote:

On Wed, 21 Apr 2004, Chuck Vose wrote:

I work for Kinko's and I'm beginning to worry about the security from
above. I would like to hear advice on how to request greater security
when you have no buying power or authority at all (the copy guy
downstairs doesn't get a whole lot of say over the network decisions).



Getting security budget really needs to be a culture change for most large
organizations.  Typically, there's a delicate balance between being the
guy who informs everyone, and being that pain-in-the-rear who used to work
here...

For a business, the real key is risk, not security.  How imenent are the
threats, how much do the protections cost, and which things should be
addressed first...

For instance, passwords are getting weaker and weaker. It used to be
mandatory to have a 4 digit password to access the register, however
it's been lowered to 1 digit. This seems like an incredibly bad idea.



On the surface it does, since a random attacker has a 1-in-N chance of
figuring it out.  However, a targeter of choice will likely get the
password anyway- and the bar to doing so is pretty low (camera, yellow
sticky, temp job...)  So the real question is "how likely is an attacker
to randomly attack and try a one character password versus using another
method?"

Reusable passwords suck, making them longer doesn't necessarily change
your overall risk very significantly at all in terms of real-world attacks.

If everyone was writing down the longer passwords, then it changes it not
one bit.

For a retail environment, I'd worry more about "How do I know it was
employee X instead of employee Y?" for things like register passwords.
The answer may well be "I have it on video."

Passwords on the email system and the internal core downloads have never
changed. In fact, we wrote the password on a keyboard long, long ago and
it's beginning to wear off just from people typing on it. I can't rub
sharpie ink off with all the grit I can muster, yet it's wearing off
through I can only assume erosion.



Ah, see- here we have an example of why "strong" passwords suck!  Someone
always writes them down- in indelible ink on the keyboard is unreal.  I'd
consider putting a duress password on like that, or a false password that
kicked off IDS.

Finally, our brand spanking new business card approval system has the


same username and password for every branch in the world. I can access
my neighboring branch's system and authorize or delete all the orders I
like. Were I inclines I would make a fake order for 8 million business
cards at another store, access the auth page, and let the store buy the
cards. Once we release the store has to buy the cards even if they
aren't sold, but the authorization process isn't limited at all. Hell
customers will probably start doing their own cards once they figure out
the system (which knowing the internet, won't be long).



This one is probably worth a risk analysis paper.  If you're going to do
one, and you want to stay employed, then I'd (a) never do anything that
could be construed wrongly, and (b) get approval from someone in
management *before* you write one.  Propose it verbally first- then in
writing- and explain that you're going to do it all on paper, that you're
concerned for the business, etc.

What do you do when your employer is getting more and more stupid about
security? I could go on about the problems, they touch into physical
security, VLANs being the main security, poor password systems (in more
than the items mentioned). In fact, Kinko's would probably make a fine
"How not to secure your company" subject.



If it's "Your problem" in that you're responsible for some part of it
(rather than the general "I work here, so I share responsibility," you do
what you can to fix it, or you find somewhere else to go.)

Compounded, I'm not sure that the manager will know or care. And I'm
certain that our IT girl knows far less about it than he does. She
doesn't know what spyware is nor why it's a problem for it to be on the
ghost images that she uses once a month (there's viruses too).

Help! Please!!



I don't know if Kinkos is franchised or all company owned- if the latter,
then someone has to "own" security- but they likely don't own store
authority.  That puts them in the fun spot.  If you can figure out who it
is, or if there's an internal audit department with infosec
responsibility- then they're the folks who need to know.  Unfortunately-
talking to audit is often (and I'm speaking from experience here) taken
the wrong way by executive management if they're under an audit[1].

Here's an interesting approach-

If you're in school (heck, I dunno- might be worth signing up to do it...)
ask if you can do a risk assessment as a research project for your
classes.  However, balance the shock and awe with some *easy* and
*inexpensive* ways for the company to fix these problems.  Handing someone
a laundry list of issues without any fixes is a sure way to end up the bad
guy.

If the IT person isn't skilled, then educate them- but NOT by rooting
their machine and "proving" how bad things are.  Explain about DDoS
attacks, machine hopping, and everything.  Explain about spyware's use in
that, as well as the general trojan threat.  Then give them 4 things (or
less) they can do to remove most of the risk.  Make sure it's easy and
repeatable.  I probably wouldn't refer to them as "IT girl" either- it
sets a bad tone, and layer 8[2] is more important than the first 7 layers.

Success in the corporate world is measured one step at a time.  Going all
out with the first push is more likely to fail than getting a step a month
for a year.

Paul
[1.] I suppose it's considered poor form if the auditor has to have you
come into the CIO's office to explain the results of their audit.
[2.] The political layer.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


--
S. Jonah Pressman

E:    jpressman () sympatico ca / jonah () pressman ca
W:    http://www.pressman.ca
P:    905-707-8323
C:    416-894-6067 (cell)


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Kinko's Waning Security Chuck Vose (Apr 22)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
  - Re: Kinko's Waning Security Ryan M. Ferris (Apr 22)
    - Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
  - Re: Kinko's Waning Security S. Jonah Pressman (Apr 22)
    - Re: Kinko's Waning Security Chuck Vose (Apr 22)
    - Re: Waning Security Paul D. Robertson (Apr 22)
    - Re: Waning Security Frederick M Avolio (Apr 23)
    - Re: Waning Security Paul D. Robertson (Apr 23)
    - Re: Waning Security Chuck Vose (Apr 23)
    - Re: Waning Security Crispin Cowan (Apr 23)
- Message not available
  - Re: Kinko's Waning Security Marcus J. Ranum (Apr 22)