Re: Waning Security

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 22 Apr 2004, Frederick M Avolio wrote:

> At 04:43 PM 4/22/2004 -0400, Paul D. Robertson wrote:
> > It was asking for advice, and while many may see it as "dirty laundry,"
> > that's more because they're holding pre-conceived notions about how much
> > information is already out there.
>
> I'm not. I think this list has shown maturity in thinking. If it was my
> company, he'd be fired for lack his exceedingly poor judgement. And shifing
> from the poster (him) to the post ("It") doesn't fool anyone. :-)

If businesses fired people for "poor judgement," there'd be nobody in
management, sales, or marketing ;)

> >  Simple obscurity isn't going to help-
>
> Bogon alert. Broadcasting inside-verified holes in security isn't either.

Depends on what the outcome is- if this gets them fixed, or if this was
helpful enough to the original poster to get them fixed, then it just
might.  There was one part that was, in my mind anyway, questionable, the
rest wasn't anything surprising, or all that damaging, and I can get more
information from hanging out at a bar 2 doors down from a Kinkos.

Going from say 50,000 people who know this (and that number's probably
low) to say 60,000 (and that delta's probably high) just does not change
the threat that significantly.

The bar to get this info just isn't that high.  There are what, 1200 or so
stores, and they probably get huge turnover, so I'm guessing that most of
the "revelations" are known to at least 250,000 people and possibly their
friends (for the ones that aren't store-specific.)

I'd also hazard to guess that you could go into a store with a survey
that asked all the right questions and get >30% of the employees to fill
it out while they're copying it.  "Hi, I'm doing an anonymous survey, and
I need to have it copied, can you fill one out and make me 100 blank
copies?" would probably work 99% of the time against the minimum wage
folks working there at 2am.

[snip]
> I don't think it was bad. I think it was foolish.

If it's not bad, it's not a termination offense.  If you can't stop the
100 people who just quit working at the company today from divulging the
same info, it's not confidential.  If more than 10,000 people know it,
it's not a secret.

> > It may be popular to sensationalize "Leaking information!" but let me tell
> > you- anyone who thinks the attacker community hasn't already profiled
> > places like the one in question is _kidding_themselves_.
>
> Okay, you can't bait me. :-) I don't buy it.

Kinkos laid off a large number of employees in 2001- that's a lot of
gruntles to be dising.  We all know that disgruntles are trouble.  Lots of
those people are in a social position to compromise via current employees.
A large number of "Who did what" stuff that I get is from former
employees, I can't imagine a scenario where they've got some magic thing
that makes it not happen to them.

Here's enough information to plan lots of badness:

http://www.lantronix.com/news/news/std_reprint.html

Lamo did some of his deeds from Kinkos, think he couldn't profile the
places he did his scanning from?

> From USENET, here are two simple posts:

----------------

> Does anyone have some ideas about hacking the software that Kinko's (the
24-7
> rent-a-Mac and laser printer outfit) employs to keep track of a
customer's
> expended time online and printer output?

This may not work at all Kinko', but at the one where I work, you can
just force Desk Tracy to quit like any other application. I haven't messed
around with it too much cuz I have the password for our store.

Also, keep in mind that at most Kinko's the cashiers don't have a clue as
to how much time you've spent on the computers or how many printouts you
made. I do keep an eye on the color printer though, and I sometimes find
an excuse to follow a customer to the register if they've been a dick and
I wanna make sure they pay. Flash your 2600 badge and it's all free.

I have found that if you remove the cable that is plugged into the back of
the compyuter, The one that goes to the card tak, it wont charge you and
bill it to the admin account. I have done this at least three times and it
doesn not proint out any type of bill at the end.

----------------

All,

I went to my local Kinko's today to make some copies and they no longer
use key counters for the copiers.. they now use smart cards... does anyone
have any info on these types of cards and how they work... Thanks for any
info...

Peace,
Twiggs
----------------

Keep in mind that a good portion of the attacker community thinks that
Internet access from there is anonimized enough to save them.  Some of
those folks will recon the environment out of habit or principle.  I could
probably spend an hour or two coming up with a profile from Web/News
that'd be much more scary than the original posting.  If I was going to do
social engineering, or track down former or disgruntled employees, I could
do quite a bit.

> > Sanitizing it probably would have cost a potential attacker an additional
> > 15 minutes of Google time.  Do other people in this community not
> > regularly track folks on the Net?  Anyone who thinks removing the company
> > name would have made the hurdle that much harder doesn't understand the
> > attacker community, and should probably go check their defenses again.
>
> I guess then I don't understand it. Because I don't want to give them that
> 15 minute edge. Especially if it costs me nothing to keep quiet or ask a
> smaller community.

Bogon alert (;-p) You're switching between limiting distribution and
obfuscating the company.  Those are two different things.  The attacker
community is really good at figuring out these things.  The social vector
into finding out where Chuck worked wouldn't be that difficult assuming
it's not already on the Net.  When I track bad guys, I can find out a lot
about them, and it doesn't take me more than a day or two to draw up a
good profile.  I'm not doing magic, and a lot of attackers can get
information more easily- and once you have enough info, it's not all that
hard to pay for the rest ($15 goes a long way these days.)

> > Personally, I would refuse to do business with any company that allowed
> > its infrastructure to go downhill, then blamed it on someone seeking
> > information on how to get it changed.
>
> But, you know, sometimes it is the only place open late at night when you
> need copying. :-)

I'd still avoid it.  My principles aren't driven by convenience.  If you
can't tell from the number of posts, this is one I feel strongly about.

> > Security is *everyone in an organization's responsibility* but that means
> > that the people in charge have to pay attention.  If there's not an easy
> > and well-known way for an organization to inform and indeed complain about
> > it, it's STILL not the messenger's fault.  Shooting the messenger ensures
> > you get no more messages-
>
> I'd not shoot the messenger for noticing a problem. I'd shoot the messenger
> for telling the world about it.

Then you'd (a) still have the problem, and (b) have no more messengers.
What a great plan!  You could then just pretend the event never happened
and wallow happily in the knowledge that nobody will ever talk bad about
security again until the press finds out about a breach!

I'd (a) shoot the architect of the major issues, and (b) shoot the person
who's responsible for having people report these things internally.

You'd have one more bullet left than me, but I'd have a much better handle
on my organization's security. Then I'd assign the messenger to recommend
cheap, easy fixes, so they can see what the message cost me- and they'd
have to document the risks and the costs, while working with the
replacements for the two dead folks.  Making them solve security problems
is punishment enough :)

> > While the original message contains some embarrassing stuff, there's
> > nothing in there that an attacker couldn't (a) easily find out and (b)
> > publish at will.
>
> Bogon alert. A would-be attacker can *now* easily find out. I am not
> convinced that is the case however. Publish at will? Sure.

If you can't stop an attacker from publishing it, then it's not
confidential enough to dismiss an employee over, unless there's a clear
policy violation, and even then lack of malice would dictate education
rather than dismissal.  They could already find out.  I'm half-tempted to
go see what I can social engineer out of a local branch, but that's
outside my ethical boundary if they're not asking for it.

> "I'm sorry the plans on that new weapons system leaked. But, they were
> already probably out there before I leaked them to the enemy."

Weapons systems are classified, and you can stop third parties from
publishing them.  I watch cashiers at BestBuy type in their passwords
all the time.  People give out passwords for chocolate- it's just not
difficult to get this level of information.  It's easier when all the
low-wage folks who's problem it isn't know it...

I've seen much, much worse places.  Generally *after* a huge compromise.
All of those places were compromised before news of their lax security
was public- and in the worst-compromised places, all the attackers knew
they were weak targets.

> I'd really encourage other people, the first day they stumble on this -- or
> any -- list to think more before posting.

I'm sure at this point, with all the virtual shooting going on, the
original poster has been more than educated on "shoulda, coulda, woulda"
stuff.  I really hope he's not put off communicating with this community,
because we already have enough communication problems without all the
unhelpful shootings happening.  If the defensive community is to have a
hope of outdoing the attacker community, we're going to *have* to start
sharing potentially embarrassing information.  We're also going to have to
start blaming the attackers for attacking, not people on our side.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards