Full Disclosure mailing list archives
RE: Name One Web Site Compromised by Download.Ject?
From: "joe" <mvp () joeware net>
Date: Sat, 3 Jul 2004 11:45:12 -0400
Interesting post, thanks. Couple of notes: 1. Your point (a) I completely agree with. Both because they don't want to become a bigger target to hackers but also because there is a possibility of opening them up to litigation for not properly maintaining their systems. The last weighs more heavily on the minds of IT Directors and CIO's of large companies than the former in my experience dealing with those people. Many of them don't even want outside people knowing they hire external people to look at their security and have clauses in the contracts indicating what can and can't be disclosed or in many cases if you can even list them as ever being a client. It sounds like you have encountered similar. 2. Your point (b) could be correct, but more often I think it would be more an issue of incomplete or incorrect configuration. Generally configured in the way it is configured either because that is the way it was always done or there is no time for the people who understand security to work on it because they are dragged into stupid meetings about inane things. 3. Your point (c) can be EXTREMELY correct. As anyone who has consulted for or worked in a large company (say > 5 or 10 thousand employees) knows that these large companies can be a haven for the sludge though small companies can get it too. While working onsite at a Global 5 company we figured that maybe 1-2% of the IT folks seemed to actually be getting things done. The other 98-99% were there slowing things down unnecessarily and making life more difficult and could most likely, if the first 1-2% had time, be replaced by intelligent automated systems. It is tougher for the boneheads to hide in smaller environments unless there is no one else who knows better in the company or organization or if the management is where the boneheads are. I had a small gig I took care of last week. It was maybe 500 desktops (mixed Windows, MAC, Linux), tiny installed base basically. Walked in and the configuration was IT Director with a few analysts reporting through CFO. This is actually pretty common configuration. It tends to be bad for security though. I knew most of what I needed to know about the company sitting in a chair out in a hall way in front of the company suite as they had wireless including the CIOs home phone, cell phone, address, and daughter's address/phone at University. Long story short, realized that there wasn't a whole lot I could do for them through the IT Director nor CFO so chatted with the CEO. Told him that it was bad to have IT report through Finance even though it was common. Said he should interview his IT Director and find out what he considered his highest 2-3 priorities. If Security wasn't there he should probably be removed. Also indicated that they needed to yank IT out from under Finance and there should be a CIO so IT had a true voice seeing how critical the computing environment was to this company (couldn't do business without it anymore as many companies have). CEO interviewed the director, guess what the highest priority had to do with? Surprise... Budget. After that was variations of keeping users happy or ways to stick to budget. 4. Your point (d) I believe less in. A lot of the issue is what is pointed out in 3. The people who actually can figure things out are so bogged down in stupid things or under stupid management they don't have the time to put into the important things. The 17 year old hackers have all of the time in the world to bump against wheatever they choose. Your paren'ed statement nails it perfectly. The number of meetings that were dragged out to a full one-two hours by the evil 98-99% instead of being 5 minutes long as they should be approachs 100% of the meetings in the larger companies. Of course you still have the management issue as well. You could have the best admin in the world, if the management doesn't believe in what he/she wasn't to accomplish, too bad for that admin. Had one company I helped out a few years ago where the admin was pushing for a firewall for months. Again this company was an IT under finance company. Couldn't get a firewall because the CFO didn't feel it was a good budget expenditure. I sent him a couple of his own files that he really didn't want anyone seeing - from his own account from home. They had money for a firewall in short order. Overall though, I agree that most companies do not want their underwear being exposed. I am not so sure that full disclosure should extend to publishing who has been compromised, I don't honestly see it being much value other than to quell the "right to know" crazies. Consider your home, someone figures out you leave your door unlocked? Do you want them to tell the neighborhood or tell you? If you get burgled for it do you want the cops telling the neighborhood you are an idiot and did that? Sure it might help some people comply to security for fear of embarassment but I don't see that as a viable solution long term. It doesn't work, look around. joe -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Gregory A. Gilliss Sent: Wednesday, June 30, 2004 3:31 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Name One Web Site Compromised by Download.Ject? Oh the naivete ... Regardless of the fact that this is full disclosure, does anyone really think that any medium to large business concern wants to make public the fact that their IT infrastructure is vulnerable? Especially in the Fascist Utopia that we call America? Pu-LEEZ! The reason that you have not seen anything is because no one wants to admit that (a) they are vulnerable, (b) their equipment sucks, (c) they employ idiots, (d) seventeen year old hackers are more intelligent/ diligent/ persistent than their US$100,000+ per year IT guru (who's currently in a meeting...please leave a detailed message). As a normal part of any security audit that I perform, I provide the client with a contract that explicitly states that I will not, under penalty of law, divulge the identity of the client to anyone (except maybe the DoJ if they come after me). Companies (infallible as they are) have no desire to publicize their shortcomings. The lack of news regarding victims of this huge gaping hole (HGH) is no conspiracy or coverup. It's called "standard operating procedure". If you ever get a job in a corporation, you will become familiar with it. Acadamicians aren't supposed to practice information hiding. However I wonder whether your search would uncover any academic institutions that have suffered a similar fate? BTW, I don't necessarily advocate the silence; I merely understand it. G _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Name One Web Site Compromised by Download.Ject? joe (Jul 03)