December 7, 2007
Test Your Anti-Virus or Re-Install
On strategic risk assessments not testing the anti-virus signatures before being deployed should be considered a vulnerability. Many of my customers believe this is ridiculous and not practical, however I report it anyway. Whatever the case, the organization has the decision to accept the risk, as I am only there to point it out. There is a great example published where a routine update caused serious problems forcing customers to have to re-install the operating system.
http://news.yahoo.com/s/zd/20071206/tc_zd/221141;_ylt=AhIN_X.SMrgYGlzdK7zmNe8E1vAI
So you decide. Should Anti-virus software be tested before deployment.
September 19, 2007
Data Leak! What Not to Do!
The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed. Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.
http://staff.washington.edu/krl/stats/pwc/
Amazing that someone would to this day post such information out on a public website. Nice to know if this was my next external penetration target. Wait it gets better! Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:
http://staff.washington.edu/krl/stats/
http://depts.washington.edu/ast/projects.old/
http://depts.washington.edu/ast/projects.old/pwedit.html
Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:
-
Home directories /rc, /cg, /mailer
-
The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.
-
The large directory listing with a plethura of information
-
The nice picture of your license
- A password hash U:4001 A:2B314469 N:noyd P:MWlJQdaJvoxaE G:15 C:6
Ken
So why did I post this?
Two reason’s. One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others. Of course I plan to send an email to Ken and show him this blog entry. If there is any follow-up to the story I will post another message.
July 26, 2007
Broken Links
Please at anytime why’ll browsing this blog you notice a link is not working leave a comment or send an email. Yesterday I noticed the policy whitepaper link is not working at Foundstone. I am currently working with McAfee to try and figure out where the document moved or to get it uploaded back on the site. My apologies, but in the future if you notice a problem with a link please point it out and I will update the site ASAP. There is nothing more frustrating then broken links on a user’s website or blog.
July 19, 2007
MTA NYC Explosion: Poor Business Continuity
It’s amazing that after so many disasters and crisis in NYC that the MTA (Metropolitan Transportation Authority) still can’t seem to get it correct. The link below has a summary of the disaster scenario
Anyway, so NYC is falling apart and all the people that live in Connecticut and upstate New York require transportation out of the city. Usually the commuters take the Metro North trains. Unfortunately the explosion is located outside of Grand Central Station where the Metro North trains depart NYC, so access to trains is limited.
Problem
More then 45 minutes after the disaster occurred MTA still did not have its continuity plan in full action. If you dialed the MTA-Info number listed on their web site you would be out of luck. Response – All lines are busy. The website did not have a service alert message for commuters.
Ok phones out of service expected, except that only MTA’s phones are the issue. Next step call 311, (NYC information hotline) maybe the NYC main government information center can help figure out how to get out of the City. 311 staff didn’t know the status of the MTA trains. 311 staff also couldn’t contact MTA because phones were still out of service at MTA. Out on the street it was worse. The police were controlling the area, so they were the only government staff that a person could ask a question. The answer the police responded with was “you have to wait around”.
I can’t recall if it was the news or 311 that mentioned going to 125th street, which is one of the locations that the Metro North trains pass while going up north. Only problem is that train stops were not modified so it was pretty sad to say that many commuters watched trains drive right past.
Improvement
This is basic, but many companies fail at crisis management, business continuity, and disaster recovery for some of the simplest items, like phone hotlines. MTA needs to update their current plan to include:
Phone hotline that gets immediately updated with current crisis status and directions for customers (This should not be the normal MTA line it should be a crisis information hotline, or utilize the current 311 system more effectively.).
Faster update of the website for emergency situations.
Identify key contacts to improve downstream communications to the police on the street.
Re-evaluate train stops by communicating with the employees in the field to identify over capacity issues at particular stops, such as the 125 street location.
Good Practice
What did MTA do right? They finally got the information out to the news channels and on the website, but I’m sure it was hard for people standing on the street to get the information.
More on Emergency Management and Business Continuity
FEMA has a great deal of information on Emergency Management
http://www.training.fema.gov/EMICourses/EMICourse.asp
DRJ has a good deal of information on business continuity and disaster recovery
March 6, 2007
Enemy 1 & 2: Passwords and Patches
I could not help reading the Security 2.0 posts by Mark Curphey and I especially liked the Business Activity Monitoring discussion. However, I see 2 major enemies that cause us pain every day and put organizations at great risk. In my mind neither of these has been addressed properly.
Enemy #1: Many internal penetration tests obtain the admin or root access by guessing passwords.
Enemy #2: What do I say? Unpatched systems are an initial point of entry for many attacks both internally and externally. Tools like Metasploit make it even easier.
Of course I’m not throwing out statistics, but I see first hand the results weekly. One can only hope that the Security 2.0 solution addresses the problems with passwords and patches.
