Forwarded from: Russell Coker <russellat_private> On Thu, 28 Feb 2002 08:19, you wrote: > Forwarded from: Steve Uhrig <Steveat_private> > > > Date: Mon, 25 Feb 2002 08:32:03 -0600 > > From: "Huggins, Michael" <mhhugginsat_private> > > To: 'InfoSec News' <isnat_private> > > Subject: RE: [ISN] [TSCM-L] Security? Huh! > > > > Whenever I see something like this I always want to claim "BS", then I > > think well how non PC of me this security professional did his job so > > james bondish maybe uncle sam should hire him. > > 99% of my work is for governments. Who does he think hired me to do > the penetration study? It was a government building. I'm not a > freelancer. This is what I have been doing for a living for 30 years > as of this year. I can't understand why anyone would doubt such a story. I have just carried a sealed steel box that is opaque to X-rays through the security of three major world airports. The box is large enough to fit a 9mm pistol. I was ready to open the box for inspection (it should have been inspected), but was never asked. At one of the three airports they asked what was in my bag that was blocking their X-rays, I told them and they gave it a cursory examination (but did not look inside), at the other two airports they didn't even ask! I have had similar experiences in the past with those three airports. I would be happy to give a detailed account of the deficiencies in the airport security systems to any law enforcement agents who wish to contact me (and can prove their credentials). But why does anyone expect government security to be so great? One bank that I used to use stored documents containing names and VISA card numbers in a place where any tall person could lean over the counter and read them (they even had pens and note-paper handy if you wanted to take notes). Also as they were in easy reach a customer could probably just grab a handful while the teller was elsewhere, withdrawing >$1000 in cash results in the teller being somewhere else for a while. Also at another branch of the same bank I was repremanded for withdrawing $4000 cash without prior notice, I was instructed to phone them 30 minutes before to allow them to open their time-delay safe if necessary... Once with some friends I walked into the back door of a sold-out concert, we didn't even realise that we'd done anything wrong until after we were inside - the door was unlocked and there was a bar so we just walked in and bought some drinks. A company I used to work for had a server room with a moderate amount of security. They had guards, doors with signs saying "you will be sacked immediately if you prop the door open", video surveilance, etc. The doors were routinely propped open because they didn't give key-cards to even half the people who worked there, and you would need a key-card to get to the toilet otherwise. All the big Sun server machines were mounted in wheeled cabinets and there was a ramp leading down to the back car park. For a period of a month there was maintenance work in porgress and the back door was kept open all day (the guards stayed at the front entrance which was locked and didn't visit the back entrance - also there was no functional camera covering the back door). Anyone could have easily rolled $20M of Sun hardware into a truck and been miles away before anyone noticed. These are three examples of companies failing to do what is most important to them regarding security! Banks should prevent fraud and theft as their highest priority. Night-clubs have their main security requirement being to keep unwanted people out. Network companies have their main security requirement being to protect their servers and infrastructure. Security sucks everywhere! The overall culture is to know nothing about security, to distrust people who know about security and want it improved, and then to think that following a set of rules made up by management or consultants will make things secure. While this culture is in place any organization that wants good security will have a tough battle trying to train their employees properly. Where is the government going to find people who have experience in security? Banks, commercial security companies, and night-clubs I guess. So when the government wants to hire security people the people who caused those three stuff-ups I described will be on the applicant list... -- If you send email to me or to a mailing list that I use which has >4 lines of legalistic junk at the end then you are specifically authorizing me to do whatever I wish with the message and all other messages from your domain, by posting the message you agree that your long legalistic sig is void. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 05:33:53 PST