Re: [ISN] [TSCM-L] Security? Huh!

From: InfoSec News (isnat_private)
Date: Fri Mar 01 2002 - 02:00:02 PST

  • Next message: InfoSec News: "[ISN] Anti-Virus's control fetish"

    Forwarded from: Russell Coker <russellat_private>
    On Thu, 28 Feb 2002 08:19, you wrote:
    > Forwarded from: Steve Uhrig <Steveat_private>
    > > Date: Mon, 25 Feb 2002 08:32:03 -0600
    > > From: "Huggins, Michael" <mhhugginsat_private>
    > > To: 'InfoSec News' <isnat_private>
    > > Subject: RE: [ISN] [TSCM-L] Security? Huh!
    > >
    > > Whenever I see something like this I always want to claim "BS",  then I
    > > think well how non PC of me this security professional did his job so
    > > james bondish maybe uncle sam should hire him.
    > 99% of my work is for governments. Who does he think hired me to do
    > the penetration study? It was a government building. I'm not a
    > freelancer.  This is what I have been doing for a living for 30 years
    > as of this year.
    I can't understand why anyone would doubt such a story.
    I have just carried a sealed steel box that is opaque to X-rays
    through the security of three major world airports.  The box is large
    enough to fit a 9mm pistol.  I was ready to open the box for
    inspection (it should have been inspected), but was never asked.  At
    one of the three airports they asked what was in my bag that was
    blocking their X-rays, I told them and they gave it a cursory
    examination (but did not look inside), at the other two airports they
    didn't even ask!  I have had similar experiences in the past with
    those three airports.
    I would be happy to give a detailed account of the deficiencies in the
    airport security systems to any law enforcement agents who wish to
    contact me (and can prove their credentials).
    But why does anyone expect government security to be so great?
    One bank that I used to use stored documents containing names and VISA
    card numbers in a place where any tall person could lean over the
    counter and read them (they even had pens and note-paper handy if you
    wanted to take notes).  Also as they were in easy reach a customer
    could probably just grab a handful while the teller was elsewhere,
    withdrawing >$1000 in cash results in the teller being somewhere else
    for a while.  Also at another branch of the same bank I was
    repremanded for withdrawing $4000 cash without prior notice, I was
    instructed to phone them 30 minutes before to allow them to open their
    time-delay safe if necessary...
    Once with some friends I walked into the back door of a sold-out
    concert, we didn't even realise that we'd done anything wrong until
    after we were inside - the door was unlocked and there was a bar so we
    just walked in and bought some drinks.
    A company I used to work for had a server room with a moderate amount
    of security.  They had guards, doors with signs saying "you will be
    sacked immediately if you prop the door open", video surveilance, etc.  
    The doors were routinely propped open because they didn't give
    key-cards to even half the people who worked there, and you would need
    a key-card to get to the toilet otherwise.  All the big Sun server
    machines were mounted in wheeled cabinets and there was a ramp leading
    down to the back car park.  For a period of a month there was
    maintenance work in porgress and the back door was kept open all day
    (the guards stayed at the front entrance which was locked and didn't
    visit the back entrance - also there was no functional camera covering
    the back door).  Anyone could have easily rolled $20M of Sun hardware
    into a truck and been miles away before anyone noticed.
    These are three examples of companies failing to do what is most
    important to them regarding security!  Banks should prevent fraud and
    theft as their highest priority.  Night-clubs have their main security
    requirement being to keep unwanted people out.  Network companies have
    their main security requirement being to protect their servers and
    Security sucks everywhere!  The overall culture is to know nothing
    about security, to distrust people who know about security and want it
    improved, and then to think that following a set of rules made up by
    management or consultants will make things secure.  While this culture
    is in place any organization that wants good security will have a
    tough battle trying to train their employees properly.
    Where is the government going to find people who have experience in
    security?  Banks, commercial security companies, and night-clubs I
    guess.  So when the government wants to hire security people the
    people who caused those three stuff-ups I described will be on the
    applicant list...
    If you send email to me or to a mailing list that I use which has >4
    lines of legalistic junk at the end then you are specifically
    authorizing me to do whatever I wish with the message and all other
    messages from your domain, by posting the message you agree that your
    long legalistic sig is void.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 05:33:53 PST