Information Security News mailing list archives
RE: [TSCM-L] Security? Huh!
From: InfoSec News <isn () c4i org>
Date: Wed, 6 Mar 2002 02:30:50 -0600 (CST)
From: "Anonymous" <popeye () navy mil> [OK, yesterday I said that this thread is dead unless something interesting popped up, well this one is interesting. This posting is anonymized since this comes from someone active-duty in the navy, reads from the web, and would probably get in a world of hurt posting under their real name(s). - WK] I hate to contradict this opinion, however, I am an Operations Specialist active in the USN. ITC ( Information Technology Chief ) has obviously not been exposed to the security side of things very well. For one, without my inside knowledge of the USN's network, you can see the amount of defacements that are gov't based. The numbers speak for themselves. As for the Navy, they are sadly restricted in their ability to efficently secure their network due to being contracted out by SPAWAR. No unauthorized "third-party" software is allowed. The security applications that are made available via SPAWAR is pathetic. No IDS, no monitoring software, no nothing. They rely on the LAN Admin's event log alone. Now this may actually be worth something if the admin is actually worth a shit. Usually it's someone not even in the IT rating that has a fair knowledge of NT. There are many ways that I believe the USN and all military establishments could increase the security of their network. I cannot go into specifics on what I have seen myself, but I can say I have identified 3 major security holes on my ship alone. I can only assume the entire Navy is like this. Maybe they should make security school a requirement before they send these guys to run a network.
-----Original Message----- From: InfoSec News [SMTP:isn () c4i org] Sent: Friday, March 01, 2002 2:03 AM To: isn () attrition org Subject: Re: [ISN] [TSCM-L] Security? Huh! (fwd) Forwarded from: Alex Nehlebaeff <Alex.Nehlebaeff () weblinkwireless com> Maybe, but I seriously doubt you are hired to perform penetration test on critical government agencies. I would imagine that the buildings you are performing your penetration tests on are buildings that do not contain classified information or systems and are accessible to the public. That is not to say that public accessible buildings don't hold sensitive material and that you are not performing a service. My beef and this is were I agree with Michael, is you make it sound as if the whole federal government security program is a joke. And after spending 24 years in the Navy, I think I have been exposed to some of the security mechanisms that the government uses and I assure you, that your james bond tactics would not work in the majority of the installations I (and Michael) worked in. Alex L. Nehlebaeff, ITC(SW), USN(Ret)
- ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Re: [TSCM-L] Security? Huh! InfoSec News (Mar 01)
- <Possible follow-ups>
- RE: [TSCM-L] Security? Huh! InfoSec News (Mar 01)
- Re: [TSCM-L] Security? Huh! InfoSec News (Mar 04)
- RE: [TSCM-L] Security? Huh! InfoSec News (Mar 05)
- RE: [TSCM-L] Security? Huh! InfoSec News (Mar 06)
- RE: [TSCM-L] Security? Huh! InfoSec News (Mar 07)
- RE: [TSCM-L] Security? Huh! InfoSec News (Mar 08)
- RE: [TSCM-L] Security? Huh! InfoSec News (Mar 09)