For sake of clarity: My customer did nothing wrong, and I don't lay any fault on them. The issue is the software vendor who, as a developent house, should know better. Forcing all of their customers to use the same 4-letter password and forcing them to leave PCAnyWhere ports open 24/7 begs derision. In fact, it begs legal sanction. A month ago, an audit showed that the Exchange server was not acting as an open relay, and I know for a fact that this base of customers does not do any tweaking on their servers. In fact, they originally called me last week to make sure they were protected from the msblaster worm. They are even afraid to patch the systems, much less make any config changes. Other than the software vendor in question, I am the only one who touches their servers. I know I didn't make the config change, and I'm sure the sw vendor didn't make this change. Given the physical security, I can only deduce that someone else took advantage of the weak password security, and helped themselves. I thank everyone for the suggestions. It has been an education all its' own. I was able to use some of the grains of wisdom you people have shared with me, and met the vendor half way. An independant third party security evaluation is now scheduled, and this whole thing will take its' course in due time. Again, Thank you all. Jeff Peterson -----Original Message----- From: Harlan Carvey To: incidentsat_private Sent: 8/17/03 9:22 AM Subject: Re: Software vendor clueless Jeff, First and perhaps most importantly, I think the issue at hand really lies with your attitude. This is an attitude that's seen amongst extremely technical people when dealing w/ people they think are clueless. Remember, no one, particularly customers, are going to pay to be put down for their business decisions, even if those decisions were made with a lack of knowledge. In fact, given your post, one would think that they hired you for your knowledge...but I doubt that anyone would hire a consultant to deride their choice of software, etc. In your post (below), you mention the problem. However, there is no correlation between the weak admin password and the change in the server. Even Exchange 5.5 on NT 4.0 can be configured relatively securely. Yes, it makes sense to upgrade, but many places need a business case for making the investment. Vendors like those you describe are nothing new. Nor is the AT&T managed firewall. However, I think that you're approaching this the wrong way. You shouldn't view yourself as "facing" this guy, and "making" him do anything. You should be approaching this from the standpoint that you're helping provide a higher level of security to your customer. Just a thought. Harlan > I have a customer whose company does legal work for > lots of businesses. > The data housed on their network is what I would > call 'financially > sensitive'. Recently, I found their Exchange server > had been turned into > an open relay. It was not that way a month ago.Once > I stopped the > bleeding, I told them I wanted to change the > Administrator password, > (NT4.0, Exch5.5. I know, I know). They told me > they were not allowed to > change the password. "Sez WHO", I asked. "Our > software vendor", they > replied. Turns out the vendor in question has a > niche market in this > kind of legal field. Also turns out they use the > same 4-letter, (no > caps, no special chars), administrator password on > ALL their customers > networks. To make matters worse, they have > PCAnyWhere ports open on all > these networks, because their software is so buggy, > the developers need > to remote in and fix things all the time. The > spokesman for the group > claims that the AT&T managed firewall prevents > anyone else from using the > PCNoWhere ports by IP address. > > I'm not a great negotiator, and I'm going to face > the SW spokesman next > week. He is a good spin doctor. I'm looking for > help in making him > secure his stuff. All help is appreciated. > > Jeff Peterson > BTIIS > > ------------------------------------------------------------------------ --- > Captus Networks - Integrated Intrusion Prevention > and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port > Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical > Applications > - Precisely Define and Implement Network Security > and Performance Policies > **FREE Vulnerability Assessment Toolkit - > WhitePapers - Live Demo > Visit us at: > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > ------------------------------------------------------------------------ ---- > __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------------------------ --- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 09:45:38 PDT