Security Incidents mailing list archives

Re: Analysis: AboveNet attacks

From: paul () MOQUIJO COM (Paul Cardon)
Date: Wed, 3 May 2000 00:13:09 -0400


Richard Bejtlich wrote:

.
This reminds me of the business/education/etc network
diagrams shown in each issue of Network Computing magazine
(http://www.networkcomputing.com).  This "centerfold" is a
great resource for anyone looking to break into a company --
 why would anyone volunteer their entire topology, albeit
minus IP addresses?


I made that same comment on the firewalls mailing list nearly 2 years
ago.  Fritz Nelson, Publisher and Editor-in-Chief of Network Computing,
used my posting [sans attribution, I should add] in his July 15,
editorial "Probing Your Vulnerabilities":

"Looking at job postings for any systems professional provides great
clues as to the makeup of the hiring company's network environment.
Another one of my favorites is the Centerfold of Network Computing.  The
accompanying summary even mentions specific hardware models and OS
versions.  Last year the issue published just prior to DefCon V featured
the network of the New York, New York Hotel and Casino in Las Vegas.
DefCon was held a block away and across the street at the [old]
Aladdin.  Great timing."

Mr. Nelson apparently used it for my demonstration of paranoia [he used
the word "mind-set" ;^p].  Unfortunately, he followed it up with the
following:

"While we appreciate the plug, certainly our Centerfold diagrams don't
provide such accurate details of customer networks that they could be
used to hack those networks.  Besides, if teenage hackers broke into the
New York, New York's reservation system as a protest to rude New York
City cab drivers, who could blame them?  Please don't mistake this
issue's review of security auditing probes and our Centerfold on The
Designory [...] as a dare."

So Fritz was trying to be his usual flip and witty self, but fell flat
this time.  I wonder if his opinions have changed in light of
information security trends since then.  Maybe he'll see this message
and respond personally.  Who knows?  Oh, I can't resist, I'll copy him
too.

In penetration tests I have been involved with, any information I
acquire about the networks and systems that I otherwise wouldn't know
makes it much easier for me to find the weakness(es) in the defenses I
am testing.  I maintain the opinion that while the Network Computing
Centerfolds do not provide nitty-gritty detail, they are still a
goldmine of information indicating potential avenues for attack.

-paul

Current thread:

Re: Analysis: AboveNet attacks Richard Bejtlich (May 01)
- Re: Analysis: AboveNet attacks Robert Graham (May 02)
  - Re: Analysis: AboveNet attacks Ville (May 06)
- Re: Analysis: AboveNet attacks Paul Cardon (May 02)
- <Possible follow-ups>
- Re: Analysis: AboveNet attacks Laura Taylor (May 03)
- Re: Analysis: AboveNet attacks Robert G. Ferrell (May 04)
  - Re: Analysis: AboveNet attacks Filip M. Gieszczykiewicz (May 08)