IP: Re:A bit more of why I sent out the MS message

[David Farber <farber () cis upenn edu>]

> To: farber () cis upenn edu
> Subject: Re: IP: A bit more of why I sent out the MS message
> From: "Perry E. Metzger" <perry () piermont com>
> Date: 28 Aug 1999 10:49:08 -0400
> Lines: 124
>
>
> David Farber <farber () cis upenn edu> writes:
> > Sorry but if simple errors like that get through , just how secure
> > are both the web sites of major players and more interesting their
> > firewalls.
> >
> > As I mentioned before, what impact on the market would a bit of well
> > designed news planted at say the NY Times or WSJ site. What would be
> > the impact of a penetration into a major software vendors site. I
> > just wonder how tight these guys really are and what damage one could
> > cause if they are sloppy
>
> Dear Dave;
>
> Feel free to forward this if you wish.
>
> As a computer security consultant, I can assure you that there *are*
> probably plenty of software vendors with sites and indeed entire
> networks (including master repositories for their software) that are
> likely vulnerable to attack. This is not a guess -- this is based on
> personal observation.
>
> The problem in many organizations is that "security is silent". To
> someone in management, a secure corporate network and an insecure one
> look very similar until a break-in occurs, just as on the wire,
> packets encrypted with 40 bit RC4 and with 3DES don't look very
> different.
>
> Often, if no one has yet detected problems because of lax security, it
> will simply be assumed that security is adequate, especially if "real
> security" would involve spending money, causing inconvenience, or,
> worst of all, stepping on toes. Internal company politics are often an
> organization's worst cause of security problems.
>
> When problems occur, of course, management decides that action must be
> taken. The response to the "security is silent" problem often results
> in companies implementing "loud noise" -- heavily supporting internal
> security departments that produce the appearance of security by
> imposing fascistic internal security controls that gravely
> inconvenience employees.  This is not to say, of course, that fascist
> security controls help. Like 19th century quack cures, they induce
> lots of confidence in the patient, but don't do much for the disease.
>
> I've seen many organizations in which extremely tight-seeming controls
> were put into place, largely to placate incompetent security managers
> and senior management, with the basic effect that security was not
> increased but actually decreased as employees found ways around stupid
> restrictions imposed without any thought to what threat they
> helped. However, management felt better.
>
> Requiring forms be filled out before employees can receive email or
> use the web, having people change passwords every week or two on
> networks where passwords travel in the clear, putting in firewalls
> that are inconvenient for insiders but permit outsiders to get to
> machines on the inside network anyway "because they need to run this
> web application", etc., etc., is a good way to make a security
> department look active, while the actual threats go completely
> unresolved. Sad to say, security departments often decrease both
> productivity and security.
>
> However, in case of trouble, management gets to point to such security
> departments whenever anything goes wrong to say "we could have done no
> better", just as they get to cover their buttocks with security
> assessments made by utterly worthless security consultants from large,
> important seeming companies. A certain very famous east coast
> newspaper that was highly embarrassed about a year ago got to say in
> their post-incident PR that they'd passed an audit done by a large
> famous firm with flying colors. What no one said, of course, was that
> almost all such assessments seem to be conducted by junior people who
> operate with checklists instead of with actual understanding of what
> they are auditing.
>
> The "bad auditors" problem is especially troubling from the big
> accounting firm consulting departments, by the way. These firms
> capitalize on a highly polished reputation, but almost all of them
> send kids fresh out of their "boot camp" programs in to assess whether
> a network is secure, with someone senior "supervising" them -- which
> in practice means "handing them checklists". Such kids are usually
> well meaning, but you can intentionally set up holes in a network the
> size of elephants and they won't notice them because they aren't on
> the checklist. I know -- I've intentionally done this to see whether
> or not the auditors could be trusted, and they usually fail. If a
> scanner or other security check program the auditors bought has a flaw
> on its list, they'll find it, but mis-architecture or even simple but
> unusual situations will fly right over their heads.
>
> [I'm sure I'll get flamed by a few of those guys. After all, they have
> a very profitable reputation to uphold, even if it is a lovely castle
> built from sand.]
>
> The "hiding behind famous products" problem is equally bad. Firms will
> now often say, proudly, that they are using the firewalls/security
> products/etc. of famous vendors X and Y, as though this meant
> anything. Just because you have a great door on your safe doesn't mean
> it fixes the paper walls around the vault.
>
> I once pointed out five minutes into an audit that a client was
> managing such a Famous Firewall Product via telnet with clear-text
> passwords passing over the network where the web servers that were
> likely to be broken in to were located. It was stunningly obvious that
> these people had built a large, steel safe door and then posted the
> combination in a paper envelope and taped it to the outside of the
> door. It hadn't even occurred to them to worry about such matters,
> because they were using Famous Firewall Product. Luckily, my
> observation caused some changes in that case, but often such reports
> are ignored.
>
> Don't get me wrong. The security situation at a few firms is very,
> very good. They're typically places with low politics, high amounts of
> technical clue among their systems administrative staff, and a desire
> for more than just appearances to be followed. Most firms, however,
> have become pathetic, relying on appearances of security and purchased
> security products to act as, to steal a phrase from Jeff Schiller,
> "Magic Security Pixie Dust."
>
> So, to answer Dave's question from his original posting, I'm certain
> it is more a question of when rather than if we see a major software
> vendor's products contaminated, possibly from the source on down, by
> intruders on their network. I've heard rumors of this already having
> happened, but I have no way to check them. However, the problem is
> almost certain to shift from possibility to Technicolor reality some
> time in the near future.
>
> Perry Metzger