http://www.projo.com/cgi-bin/story.pl/news/05804531.htm 7.10.2001 00:05 Internet security: Can R.I. hack it? * The auditor general will put Rhode Island government computers to the security test, but results might not be made public. ... My fave quote from me :) "The same behavior and, quite frankly, the almost purposeful stupidity that exists where business sites get credit cards stolen seem also to exist in a lot of government sites -- which is surprising, because you'd expect some sites to be better protected," O'Connor said. Two interesting things: 1) The article was suppose to focus on the Auditor not releasing the results of the audit for fear of attack, or even stamping the secured and tested sites, for fear of attacks on other sites. I recommended a deadline approach... 2) The MIS director (at the time of the Attorney General defacement) email to complain that I diagnosed his problem from afar without knowledge. He said the PoisonBox attack came in via an alternate attack then the ../../ style attack. He was quite reasonable and agreed most people bury their heads in the sand rather than utilize today's technology. They secure the box, and remvoed all the important data (or never put it there), but someone inadvertently opened a hole. -- Zot O'Connor http://www.ZotConsulting.com http://www.WhiteKnightHackers.com
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:23:52 PDT