Full Disclosure mailing list archives
Re: It's not that simple... [Was: Re: Disney Down?]
From: Ron DuFresne <dufresne () winternet com>
Date: Wed, 17 Aug 2005 14:41:02 -0500 (CDT)
[SNIP]
Greg Smith, the county's assessor, recorder and clerk, said "As long as we're up (today), we'll be fine" Greg Smith is a thinking much too lightly of the situation. Their systems just got hit with an exploit that allows for remote code execution and elevation of privilege. If I was him, I would be very concerned about data theft, and performing network wide audits. "Yesterday's crash marked the third time in recent weeks that significant computer problems have affected county government." Well, enough said about Greg Smith or whoever manages SDC's systems... Lets take a look at the ISS advisory that makes a respectful analysis of the phrase "code execution and elevation of privilege": "Successful exploitation of this vulnerability could be leveraged to gain complete control over target systems, and might lead to malware installation, exposure of confidential information, or further network compromise. Due to the widespread use of the affected operating systems and the critical nature of component affected, it is likely that servers and desktops used for a wide variety of purposes are vulnerable to this issue." The initial exploited fault aside, I see no excuse for this.
Of course you are correct, there is NO excuse for this in any setting, yet, considering the past ten years of GAO audits and advisories on the federal side of gvt systems, what makes one think that state and local county govs would have any better standing? Part of the problemsis that govs wish to pay nothing and get everything in return, and are extremely poor in fetting out raises and tend to pull back emenesly on the benfit packages, if one can really lable them such. So, they tend to get "what they pay for", which in the case of the gov site I work under, is a bunch of certified idiots that lack the skills to do what they have been tasked to do. Their vested interst lies in a "proper pulic presentation, meaning they don't hire folks that lack a suit and tie, and thus have missed out in recruiting into their realm persons with the skills to actually make a difference, if not for the folllowing: Not to mention that no one wishes to take responsibility, for that might also task then to accountability. I can tell you for a fact that since our unskilled sec folks where I work won;t go "outside the border" to discover vulln info that they did not get a clue about the recent trojan till far after the fact that many sites had been hit by it. In fact their announcemnt came out this AM, from their multi-state vuln/sploit notification council... There is no excuse for doing below minimum and little excuse for scrapping along at minimum, with taxpayers footing the bill, but that's life in gov settings and more so perhaps in state and county govs that lack the auditing controls like the GAO <smirk> Thanks, Ron DuFresne -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- It's not that simple... [Was: Re: Disney Down?] Fergie (Paul Ferguson) (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Micheal Espinola Jr (Aug 17)
- RE: It's not that simple... [Was: Re: Disney Down?] Geo. (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Micheal Espinola Jr (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Ron DuFresne (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] fd (Aug 18)
- Re: It's not that simple... [Was: Re: Disney Down?] Nick FitzGerald (Aug 18)
- Re: It's not that simple... [Was: Re: Disney Down?] Ron DuFresne (Aug 22)
- Re: It's not that simple... [Was: Re: Disney Down?] James Tucker (Aug 19)
- Re: It's not that simple... [Was: Re: Disney Down?] Barrie Dempster (Aug 19)
- RE: It's not that simple... [Was: Re: Disney Down?] Geo. (Aug 17)
- Re: It's not that simple... [Was: Re: Disney Down?] Micheal Espinola Jr (Aug 17)
- Re: Re: It's not that simple... Jason Coombs (Aug 17)
- Re: Re: It's not that simple... Kurt Seifried (Aug 17)
- Re: Re: It's not that simple... Micheal Espinola Jr (Aug 17)
- Re: Re: It's not that simple... Jason Coombs (Aug 17)
- Re: Re: It's not that simple... yossarian (Aug 17)
- NULL sessions on Windows 2000 systems [Was: Re: Re: It's not that simple...] Jean-Baptiste Marchand (Aug 18)
- Re: NULL sessions on Windows 2000 systems [Was: Re: [Full-disclosure] Re:It's not that simple...] yossarian (Aug 18)