Re: Template Admin Notification

["Forrester, Mike" <mforrester () HSACORP NET>]

> -----Original Message-----
> From: Rick Ballard [mailto:Richard.Ballard () XWAVE COM]
> Sent: Wednesday, January 24, 2001 2:17 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: [INCIDENTS] Template Admin Notification
>
>
> Unless a scan has come from a cable modem ip or dialup, it is usually
> safe to assume that it has come from a compromised system.

I disagree.  We have a lot of clueless users and they get hacked all the
time.  Lots of shared hard disks with no password or default Linux installs.
We also get a few script kiddies.  Their parents call up and ask why their
service was turned off and we try to explain to them what happened.  We give
them the times of the incidents and they'll usually say they weren't home or
were sleeping.

"Do you have any children?"

"Yes. I have a 14 year-old son."

"You might want to talk to him about what NetBus is and why your system
trying to scan other systems.  He should be able to fill in the details."

Then they usually ask what they can do to prevent their children from using
their computer or installing scanners and such.  It's hard to find a polite
way to tell them that the odds are not in their favor as their kid probably
has 10 times the computer knowledge that they do and a lot more free time.
Sure they can try and install some Windows lockdown app, but odds are
they'll find a way around it and they probably wouldn't know how to
install/configure it anyway.  Then they ask about Windows 2000 or Linux.
No!  In the hands of the clueless, these are far worse (IMHO)...

Mike Forrester - Systems Security Engineer
HSA Corp. - Denver, CO USA
mforrester () hsacorp net - +1 720 922 2545

"Only amateurs attack machines; professionals target people.
And any solutions will have to target the people problem,
not the math problem." - Bruce Schneier