Interesting People mailing list archives
a rebuttel Security Biz Thrives on Fear
From: Dave Farber <dave () farber net>
Date: Wed, 16 Apr 2003 15:19:30 -0400
------ Forwarded Message From: Bob Alberti <alberti () sanction net> Date: Wed, 16 Apr 2003 14:13:17 -0500 To: dave () farber net Subject: RE: [IP] Security Biz Thrives on Fear As a security consulting professional, I find such articles annoying and irresponsible. Annoying because the biggest obstacle to security that I encounter out in the field is DENIAL. Irresponsible because so many organizations turn a blind eye towards security, and articles with this tone only serve to justify this irrational behavior. Fear is hardly inappropriate when there is something to be afraid of. But denial IS inappropriate. One prospective client refused any assistance with security until the day they were compromised: then they phone for immediate assistance. However the next day they had convinced themselves that having once been hacked they would never be attacked again, and refused further help. This "lightning never strikes twice" denial persisted, despite the fact that their IP was listed on the hacker defacement sites such as http://lists.insecure.org/lists/alldas/2002/Oct/ (outdated site deliberately referenced.) Another client wanted their external firewall scanned to determine why their internal network kept becoming unusable every day at 2:00 p.m. When I suggested their internal network be examined I was angrily accused of trying to "upsell", and shown the door. In many ways security consulting is like being a doctor: you can't force someone to seek your help, accept your diagnosis, or take their medicine. And a lot of people and organizations deny their symptoms until it is too late. Articles like the one quoted reinforce the "ignore the problem" attitude that so many companies adopt. If the security profile of the typical company were not, frankly, abysmal, then charges of fearmongering would be hard to refute. Unfortunately it is all too easy to discover glaring security vulnerabilities in most corporate networks. You don't have to believe me, you can check for yourself: -Download a sniffer (http://www.ethereal.com) and find ids and passwords traveling in cleartext on your network. -Install a wireless card and Netstumbler (http://www.netstumbler.com) on a laptop and see how many wide-open access points you find in your workplace or neighborhood. -Change your workstation's administrator password (this takes ten minutes and a floppy disk), then crack all the passwords on your computer in fifteen seconds or less with L0phtcrack (available through Google search). Use the network administration passwords that you find to log into other computers on your network. -Play with the "NET SEND * MESSAGE" command and see how many of your coworkers you can harass with bogus messages (actually I suggest you test this one at home). Such simple experiments, using only free software easily available on the Internet, are easy to carry out and can begin to illuminate the security profile of your network. Just do me a favor and try not to ignore what you find. The hackers won't. And if that scares you, well, maybe it should. Bob Alberti, CISSP, President Sanction, Inc. Phone: (612) 961-0507 PO Box 583453 http://www.sanction.net Mpls, MN 55458-3453 ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- a rebuttel Security Biz Thrives on Fear Dave Farber (Apr 16)