Firewall Wizards mailing list archives
Re: Waning Security
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 22 Apr 2004 21:43:03 -0400 (EDT)
On Thu, 22 Apr 2004, Frederick M Avolio wrote:
At 04:43 PM 4/22/2004 -0400, Paul D. Robertson wrote:It was asking for advice, and while many may see it as "dirty laundry," that's more because they're holding pre-conceived notions about how much information is already out there.I'm not. I think this list has shown maturity in thinking. If it was my company, he'd be fired for lack his exceedingly poor judgement. And shifing from the poster (him) to the post ("It") doesn't fool anyone. :-)
If businesses fired people for "poor judgement," there'd be nobody in management, sales, or marketing ;)
Simple obscurity isn't going to help-Bogon alert. Broadcasting inside-verified holes in security isn't either.
Depends on what the outcome is- if this gets them fixed, or if this was helpful enough to the original poster to get them fixed, then it just might. There was one part that was, in my mind anyway, questionable, the rest wasn't anything surprising, or all that damaging, and I can get more information from hanging out at a bar 2 doors down from a Kinkos. Going from say 50,000 people who know this (and that number's probably low) to say 60,000 (and that delta's probably high) just does not change the threat that significantly. The bar to get this info just isn't that high. There are what, 1200 or so stores, and they probably get huge turnover, so I'm guessing that most of the "revelations" are known to at least 250,000 people and possibly their friends (for the ones that aren't store-specific.) I'd also hazard to guess that you could go into a store with a survey that asked all the right questions and get >30% of the employees to fill it out while they're copying it. "Hi, I'm doing an anonymous survey, and I need to have it copied, can you fill one out and make me 100 blank copies?" would probably work 99% of the time against the minimum wage folks working there at 2am. [snip]
I don't think it was bad. I think it was foolish.
If it's not bad, it's not a termination offense. If you can't stop the 100 people who just quit working at the company today from divulging the same info, it's not confidential. If more than 10,000 people know it, it's not a secret.
It may be popular to sensationalize "Leaking information!" but let me tell you- anyone who thinks the attacker community hasn't already profiled places like the one in question is _kidding_themselves_.Okay, you can't bait me. :-) I don't buy it.
Kinkos laid off a large number of employees in 2001- that's a lot of gruntles to be dising. We all know that disgruntles are trouble. Lots of those people are in a social position to compromise via current employees. A large number of "Who did what" stuff that I get is from former employees, I can't imagine a scenario where they've got some magic thing that makes it not happen to them. Here's enough information to plan lots of badness: http://www.lantronix.com/news/news/std_reprint.html Lamo did some of his deeds from Kinkos, think he couldn't profile the places he did his scanning from?
From USENET, here are two simple posts:
----------------
Does anyone have some ideas about hacking the software that Kinko's (the
24-7
rent-a-Mac and laser printer outfit) employs to keep track of a
customer's
expended time online and printer output?
This may not work at all Kinko', but at the one where I work, you can just force Desk Tracy to quit like any other application. I haven't messed around with it too much cuz I have the password for our store. Also, keep in mind that at most Kinko's the cashiers don't have a clue as to how much time you've spent on the computers or how many printouts you made. I do keep an eye on the color printer though, and I sometimes find an excuse to follow a customer to the register if they've been a dick and I wanna make sure they pay. Flash your 2600 badge and it's all free. I have found that if you remove the cable that is plugged into the back of the compyuter, The one that goes to the card tak, it wont charge you and bill it to the admin account. I have done this at least three times and it doesn not proint out any type of bill at the end. ---------------- All, I went to my local Kinko's today to make some copies and they no longer use key counters for the copiers.. they now use smart cards... does anyone have any info on these types of cards and how they work... Thanks for any info... Peace, Twiggs ---------------- Keep in mind that a good portion of the attacker community thinks that Internet access from there is anonimized enough to save them. Some of those folks will recon the environment out of habit or principle. I could probably spend an hour or two coming up with a profile from Web/News that'd be much more scary than the original posting. If I was going to do social engineering, or track down former or disgruntled employees, I could do quite a bit.
Sanitizing it probably would have cost a potential attacker an additional 15 minutes of Google time. Do other people in this community not regularly track folks on the Net? Anyone who thinks removing the company name would have made the hurdle that much harder doesn't understand the attacker community, and should probably go check their defenses again.I guess then I don't understand it. Because I don't want to give them that 15 minute edge. Especially if it costs me nothing to keep quiet or ask a smaller community.
Bogon alert (;-p) You're switching between limiting distribution and obfuscating the company. Those are two different things. The attacker community is really good at figuring out these things. The social vector into finding out where Chuck worked wouldn't be that difficult assuming it's not already on the Net. When I track bad guys, I can find out a lot about them, and it doesn't take me more than a day or two to draw up a good profile. I'm not doing magic, and a lot of attackers can get information more easily- and once you have enough info, it's not all that hard to pay for the rest ($15 goes a long way these days.)
Personally, I would refuse to do business with any company that allowed its infrastructure to go downhill, then blamed it on someone seeking information on how to get it changed.But, you know, sometimes it is the only place open late at night when you need copying. :-)
I'd still avoid it. My principles aren't driven by convenience. If you can't tell from the number of posts, this is one I feel strongly about.
Security is *everyone in an organization's responsibility* but that means that the people in charge have to pay attention. If there's not an easy and well-known way for an organization to inform and indeed complain about it, it's STILL not the messenger's fault. Shooting the messenger ensures you get no more messages-I'd not shoot the messenger for noticing a problem. I'd shoot the messenger for telling the world about it.
Then you'd (a) still have the problem, and (b) have no more messengers. What a great plan! You could then just pretend the event never happened and wallow happily in the knowledge that nobody will ever talk bad about security again until the press finds out about a breach! I'd (a) shoot the architect of the major issues, and (b) shoot the person who's responsible for having people report these things internally. You'd have one more bullet left than me, but I'd have a much better handle on my organization's security. Then I'd assign the messenger to recommend cheap, easy fixes, so they can see what the message cost me- and they'd have to document the risks and the costs, while working with the replacements for the two dead folks. Making them solve security problems is punishment enough :)
While the original message contains some embarrassing stuff, there's nothing in there that an attacker couldn't (a) easily find out and (b) publish at will.Bogon alert. A would-be attacker can *now* easily find out. I am not convinced that is the case however. Publish at will? Sure.
If you can't stop an attacker from publishing it, then it's not confidential enough to dismiss an employee over, unless there's a clear policy violation, and even then lack of malice would dictate education rather than dismissal. They could already find out. I'm half-tempted to go see what I can social engineer out of a local branch, but that's outside my ethical boundary if they're not asking for it.
"I'm sorry the plans on that new weapons system leaked. But, they were already probably out there before I leaked them to the enemy."
Weapons systems are classified, and you can stop third parties from publishing them. I watch cashiers at BestBuy type in their passwords all the time. People give out passwords for chocolate- it's just not difficult to get this level of information. It's easier when all the low-wage folks who's problem it isn't know it... I've seen much, much worse places. Generally *after* a huge compromise. All of those places were compromised before news of their lax security was public- and in the worst-compromised places, all the attackers knew they were weak targets.
I'd really encourage other people, the first day they stumble on this -- or any -- list to think more before posting.
I'm sure at this point, with all the virtual shooting going on, the original poster has been more than educated on "shoulda, coulda, woulda" stuff. I really hope he's not put off communicating with this community, because we already have enough communication problems without all the unhelpful shootings happening. If the defensive community is to have a hope of outdoing the attacker community, we're going to *have* to start sharing potentially embarrassing information. We're also going to have to start blaming the attackers for attacking, not people on our side. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Kinko's Waning Security Chuck Vose (Apr 22)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security Ryan M. Ferris (Apr 22)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security S. Jonah Pressman (Apr 22)
- Re: Kinko's Waning Security Chuck Vose (Apr 22)
- Re: Waning Security Paul D. Robertson (Apr 22)
- Re: Waning Security Frederick M Avolio (Apr 23)
- Re: Waning Security Paul D. Robertson (Apr 23)
- Re: Waning Security Chuck Vose (Apr 23)
- Re: Kinko's Waning Security Ryan M. Ferris (Apr 22)
- Re: Waning Security Crispin Cowan (Apr 23)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security Marcus J. Ranum (Apr 22)