funsec mailing list archives

RE: Administrator Accounts

From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Wed, 22 Feb 2006 18:30:00 -0800

Because sir, the decisions on software are not made by the geeks but by the high level folks that haven't a clue about 
what securely coded software is.

Larger firms can do RFPs but even then the team designing the specs has to know what they are talking about.What drives software sales? Security? No, it's because someone else made the decision that they needed the program that integrates that into that and throws up cute little pie charts. Or it syncs with a cell phone, or some other thing that made it the software you just had to have.

Hang around the ActiveDir.org listserves where the folks complain about management buying something AD integrated and only after 
the contract has been signed does someone look to see what "it" needs to bolt onto that network or worry about the 
security implications of what adjustments it needs to the Active Directory environment.

Right now there is not enough folks in the decision making roles that ask the tough questions from vendors.

It plays into this:

RSA: Secure software is up to businesses
Most businesses aren't doing enough to
build and buy securely written software,
according to a panel of corporate security
executives, academics and professional
software developers speaking at the
RSA Security Conference 2006 yesterday.

http://www.computerworld.com/securitytopics/security/story/0,10801,108716,00.html

http://www.securesoftwareforum.com/assets/documents/SPISSFWhitePaper.pdf

We're not pushing because the people making the decisions and signing the checks do not know enough to know to ask the 
right questions.

Right now Intuit got away with it until the SANS.org site made them their "first inductee into the Local Admin Hall of Shame", that and 
also the fact that Microsoft's accounting application came into the marketplace and added competition (which is ironic, isn't it?), they 
have since announced that they will "fix this issue" in the 2007 program.

The marketplace has to care and until it does, Vendors have no incentive to fix this.

This accountant thinks it's shameful that so many of my own industry's applications are lacking in the foundations of 
security.

Back to lurking....

Susan



From: Nick FitzGerald <nick () virus-l demon co uk>
Subject: RE: [funsec] Administrator Accounts
To: funsec () linuxbox org
Message-ID: <43FDC209.9488.4D901746 () nick virus-l demon co uk>
Content-Type: text/plain; charset=US-ASCII

Todd Towles wrote:

My friend Susan Bradley said it in 2005 -

 "We need to understand that we need to protect ourselves a little bit
better. At the same time, the vendors need to step up to the plate.
Intuit, in particular, and other vendors that do not support limited
user rights are forcing me to make security decisions. They are the ones
causing insecurity on the desktop, not me."

But not all applications will run if the user does not have
administrative privileges, Bradley said.

"The ultimate goal is that every single application that we have
installed in our systems will run in user modes," Bradley said. "The
Microsoft applications do run in user mode. I cannot say that for the
rest of my stupid line-of-business applications. To get certified for
design for a Windows XP logo, you have to run as a user mode."

So, why pray tell, is _any_ corporate system running any of thesecrappy apps?

If it doesn't "run in user mode" WTF was it ever get approved for usein the business?

Had corporates taken this "we actually really do care, maybe just alittle though, about security" this problem would not exist _for"business use" software_ today.

The reason the problem exists is that "too many" corporate IT folkeither don't have the balls to front a major s/w developer like Intuit(and all the others) and demand that they fix their crappy software, orthe IT folk's advice is overidden by some security-clueless morron(probably an accountant) who decides it is cheaper (in terms of up-front dolars and cents) to stick with the app that they were using whenWin9x ruled their roost (and don't get me started on the question ofwhy that PoS was _ever_ used in a business that claims to care aboutsecurity) and not face the re-training, data conversion, processconversion, etc, etc, etc costs of switching to Product X which doesoffer the intangible benefit of allowing a better security design fortheir IT system.

Thinking in the small by small-minded folk who can only see theirconstrained view of the world...



Regards,

Nick FitzGerald

--

Letting your vendors set your risk analysis these days?http://www.threatcode.com


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: Administrator Accounts, (continued)
- - - RE: Administrator Accounts Larry Seltzer (Feb 23)
    - Re: Administrator Accounts Dude VanWinkle (Feb 23)
    - Re: Administrator Accounts David Lodge (Feb 23)
- RE: Administrator Accounts Todd Towles (Feb 22)
- RE: Administrator Accounts Willy, Andrew (Feb 22)
  - RE: Administrator Accounts Larry Seltzer (Feb 22)
    - Re: Administrator Accounts Brian Loe (Feb 22)
- RE: Administrator Accounts Todd Towles (Feb 22)
  - Re: Administrator Accounts Blue Boar (Feb 22)
- Re: Administrator Accounts Fergie (Feb 22)
- RE: Administrator Accounts Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Feb 22)
- RE: Administrator Accounts Todd Towles (Feb 23)