[Full-Disclosure] Name One Web Site Compromised by Download.Ject?
mvp at joeware.net
Sat Jul 3 16:45:12 BST 2004
Interesting post, thanks.
Couple of notes:
1. Your point (a) I completely agree with. Both because they don't want to
become a bigger target to hackers but also because there is a possibility of
opening them up to litigation for not properly maintaining their systems.
The last weighs more heavily on the minds of IT Directors and CIO's of large
companies than the former in my experience dealing with those people. Many
of them don't even want outside people knowing they hire external people to
look at their security and have clauses in the contracts indicating what can
and can't be disclosed or in many cases if you can even list them as ever
being a client. It sounds like you have encountered similar.
2. Your point (b) could be correct, but more often I think it would be more
an issue of incomplete or incorrect configuration. Generally configured in
the way it is configured either because that is the way it was always done
or there is no time for the people who understand security to work on it
because they are dragged into stupid meetings about inane things.
3. Your point (c) can be EXTREMELY correct. As anyone who has consulted for
or worked in a large company (say > 5 or 10 thousand employees) knows that
these large companies can be a haven for the sludge though small companies
can get it too. While working onsite at a Global 5 company we figured that
maybe 1-2% of the IT folks seemed to actually be getting things done. The
other 98-99% were there slowing things down unnecessarily and making life
more difficult and could most likely, if the first 1-2% had time, be
replaced by intelligent automated systems. It is tougher for the boneheads
to hide in smaller environments unless there is no one else who knows better
in the company or organization or if the management is where the boneheads
I had a small gig I took care of last week. It was maybe 500 desktops (mixed
Windows, MAC, Linux), tiny installed base basically. Walked in and the
configuration was IT Director with a few analysts reporting through CFO.
This is actually pretty common configuration. It tends to be bad for
security though. I knew most of what I needed to know about the company
sitting in a chair out in a hall way in front of the company suite as they
had wireless including the CIOs home phone, cell phone, address, and
daughter's address/phone at University. Long story short, realized that
there wasn't a whole lot I could do for them through the IT Director nor CFO
so chatted with the CEO. Told him that it was bad to have IT report through
Finance even though it was common. Said he should interview his IT Director
and find out what he considered his highest 2-3 priorities. If Security
wasn't there he should probably be removed. Also indicated that they needed
to yank IT out from under Finance and there should be a CIO so IT had a true
voice seeing how critical the computing environment was to this company
(couldn't do business without it anymore as many companies have). CEO
interviewed the director, guess what the highest priority had to do with?
Surprise... Budget. After that was variations of keeping users happy or ways
to stick to budget.
4. Your point (d) I believe less in. A lot of the issue is what is pointed
out in 3. The people who actually can figure things out are so bogged down
in stupid things or under stupid management they don't have the time to put
into the important things. The 17 year old hackers have all of the time in
the world to bump against wheatever they choose. Your paren'ed statement
nails it perfectly. The number of meetings that were dragged out to a full
one-two hours by the evil 98-99% instead of being 5 minutes long as they
should be approachs 100% of the meetings in the larger companies. Of course
you still have the management issue as well. You could have the best admin
in the world, if the management doesn't believe in what he/she wasn't to
accomplish, too bad for that admin. Had one company I helped out a few years
ago where the admin was pushing for a firewall for months. Again this
company was an IT under finance company. Couldn't get a firewall because the
CFO didn't feel it was a good budget expenditure. I sent him a couple of his
own files that he really didn't want anyone seeing - from his own account
from home. They had money for a firewall in short order.
Overall though, I agree that most companies do not want their underwear
being exposed. I am not so sure that full disclosure should extend to
publishing who has been compromised, I don't honestly see it being much
value other than to quell the "right to know" crazies. Consider your home,
someone figures out you leave your door unlocked? Do you want them to tell
the neighborhood or tell you? If you get burgled for it do you want the cops
telling the neighborhood you are an idiot and did that? Sure it might help
some people comply to security for fear of embarassment but I don't see that
as a viable solution long term. It doesn't work, look around.
From: full-disclosure-admin at lists.netsys.com
[mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Gregory A.
Sent: Wednesday, June 30, 2004 3:31 PM
To: full-disclosure at lists.netsys.com
Subject: Re: [Full-Disclosure] Name One Web Site Compromised by
Oh the naivete ...
Regardless of the fact that this is full disclosure, does anyone really
think that any medium to large business concern wants to make public the
fact that their IT infrastructure is vulnerable? Especially in the Fascist
Utopia that we call America? Pu-LEEZ!
The reason that you have not seen anything is because no one wants to admit
that (a) they are vulnerable, (b) their equipment sucks, (c) they employ
idiots, (d) seventeen year old hackers are more intelligent/ diligent/
persistent than their US$100,000+ per year IT guru (who's currently in a
meeting...please leave a detailed message).
As a normal part of any security audit that I perform, I provide the client
with a contract that explicitly states that I will not, under penalty of
law, divulge the identity of the client to anyone (except maybe the DoJ if
they come after me). Companies (infallible as they are) have no desire to
publicize their shortcomings. The lack of news regarding victims of this
huge gaping hole (HGH) is no conspiracy or coverup. It's called "standard
operating procedure". If you ever get a job in a corporation, you will
become familiar with it.
Acadamicians aren't supposed to practice information hiding. However I
wonder whether your search would uncover any academic institutions that have
suffered a similar fate?
BTW, I don't necessarily advocate the silence; I merely understand it.
Full-Disclosure is hosted and sponsored by Secunia.