RE: [inbox] Re: RE: Linux (in)security

["Curt Purdy" <purdy () tecman com>]

> I agree that inherent OS features have much to do with their
> security, but must observe that OSs like VMS and OS/400 have
> very few security issues

<snip>

Agreed, I believe OS/400 may be the most secure out-of-the-box system out
there.  But never underestimate a lousy vendor.   My last audit was for a
HIPAA client that had all patient records on an AS/400.  I thought I didn't
have a chance in heck of touching them.  On the AS/400 side that was true,
with extremely granular access, allowing only certain users to certain data
that was unreachable otherwise.

However their main application happened to create a world readable/writeable
windows share of the records.  I simply plugged my laptop into an empty wall
socket, browsed the ip network (not even logged into anything) and saw,
copied, and wrote to any record of my choosing.  I was so shocked it took me
a few minutes to realize I just hit a grand slam.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke

<<attachment: winmail.dat>>