Re: It's not that simple... [Was: Re: Disney Down?]

[Ron DuFresne <dufresne () winternet com>]

        [SNIP]

> Greg Smith, the county's assessor, recorder and clerk, said "As long
> as we're up (today), we'll be fine"  Greg Smith is a thinking much too
> lightly of the situation.  Their systems just got hit with an exploit
> that allows for remote code execution and elevation of privilege.  If
> I was him, I would be very concerned about data theft, and performing
> network wide audits.
>
> "Yesterday's crash marked the third time in recent weeks that
> significant computer problems have affected county government."  Well,
> enough said about Greg Smith or whoever manages SDC's systems...
>
> Lets take a look at the ISS advisory that makes a respectful analysis
> of the phrase "code execution and elevation of privilege":
>
> "Successful exploitation of this vulnerability could be leveraged to
> gain complete control over target systems, and might lead to malware
> installation, exposure of confidential information, or further network
> compromise. Due to the widespread use of the affected operating
> systems and the critical nature of component affected, it is likely
> that servers and desktops used for a wide variety of purposes are
> vulnerable to this issue."
>
> The initial exploited fault aside, I see no excuse for this.


Of course you are correct, there is NO excuse for this in any setting,
yet, considering the past ten years of GAO audits and advisories on the
federal side of gvt systems, what makes one think that state and local
county govs would have any better standing?  Part of the problemsis that
govs wish to pay nothing and get everything in return, and are extremely
poor in fetting out raises and tend to pull back emenesly on the benfit
packages, if one can really lable them such.  So, they tend to get "what
they pay for", which in the case of the gov site I work under, is a bunch
of certified idiots that lack the skills to do what they have been tasked
to do.  Their vested interst lies in a "proper pulic presentation,
meaning they don't hire folks that lack a suit and tie, and thus have
missed out in recruiting into their realm persons with the skills to
actually make a difference, if not for the folllowing:  Not to mention
that no one wishes to take responsibility, for that might also task then
to accountability.  I can tell you for a fact that since our unskilled
sec folks where I work won;t go "outside the border"  to discover vulln
info that they did not get a clue about the recent trojan till far after
the fact that many sites had been hit by it.  In fact their announcemnt
came out this AM, from their multi-state vuln/sploit notification council...

There is no excuse for doing below minimum and little excuse for scrapping
along at minimum, with taxpayers footing the bill, but that's life in gov
settings and more so perhaps in state and county govs that lack the
auditing controls like the GAO <smirk>


Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/