Re: Waning Security

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 22 Apr 2004, S. Jonah Pressman wrote:

> Chuck, you make excellent points and seem to be extremely passionate
> about corporate security.  Your methodology of airing corporate dirty
> laundry in public leaves a lot to be desired.  In fact, you've just

It was asking for advice, and while many may see it as "dirty laundry,"
that's more because they're holding pre-conceived notions about how much
information is already out there.  Simple obscurity isn't going to help-
how many hundreds of thousands of ex-company employees do you think are
out there?  How many of them know the deal?  How many customers can't
count how many keys a cashier presses?  How many attackers have profiled
how many stores?  How many attackers have social engineered how many
employees to gain the information?  How many former employees are
attackers?  How many current employees are attackers?  This just isn't the
level of badness that people keep proclaiming.

It may be popular to sensationalize "Leaking information!" but let me tell
you- anyone who thinks the attacker community hasn't already profiled
places like the one in question is _kidding_themselves_.

> single-handedly issued an invitation to "black-hats" to sample the
> fruits inside your corporate walls.  If I were your manager, I'd

Any serious attacker would validate this anyway- at which point the
information would be known to them- and I honestly don't believe that half
the information is that pertinent.  That's why I responded the way I did.

> introduce you to the corporate legal counsel ans then escort you to the
> door.

Anyone who does that isn't thinking, and probably doesn't have the right
employment contract in place in a retail environment anyway.

> I am surprised that your note was posted by the moderator.  Frankly, it
> should have been sent back to you with the suggestion to sanitize it
> before resubmission.

Sanitizing it probably would have cost a potential attacker an additional
15 minutes of Google time.  Do other people in this community not
regularly track folks on the Net?  Anyone who thinks removing the company
name would have made the hurdle that much harder doesn't understand the
attacker community, and should probably go check their defenses again.

We defenders *have* to work *together*- otherwise, we lose.

Personally, I would refuse to do business with any company that allowed
its infrastructure to go downhill, then blamed it on someone seeking
information on how to get it changed.  Now, there may have been better
ways to approach this, and there may have been some sensitivity to
sanitizing it- as in not hurting the feelings of whoever's responsible for
the architecture- but that's not a security issue, and if they have the
ability to remove someone who's concerned, but can't fix the underlying
issues, then honestly, the wrong person's being removed.

Security is *everyone in an organization's responsibility* but that means
that the people in charge have to pay attention.  If there's not an easy
and well-known way for an organization to inform and indeed complain about
it, it's STILL not the messenger's fault.  Shooting the messenger ensures
you get no more messages- that's not good business, that's not good FOR
business, and that's a good way to piss off a bunch of people.

Retail environments make lots of security/risk/cost trade-offs that people
outside that environment don't understand.  Then they tend to adjust after
the fact if they need to.  If that's true in this case, then again, no use
in looking at the messenger, it wasn't them that made the choice.  If it's
not true, then again, it wasn't the messenger who was responsible for
fielding such systems.

If I had an employee who wanted to know what to do to make my business
better, and who asked experts in the field how to achieve that, I'd give
them more work to do- helping improve the situation.  Then I'd let them
tell the world what a great company we had by doing that.

If your reaction after thinking about it is to shoot the messenger, then
we should *all* have an issue with that.  While the original message
contains some embarrassing stuff, there's nothing in there that an
attacker couldn't (a) easily find out and (b) publish at will.

If anyone from the company in question has any questions, I'd be happy to
enlighten them via phone, if they e-mail me directly I'll send contact
info.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards