lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0508171351570.12398-100000@tundra.winternet.com>
Date: Wed Aug 17 20:41:07 2005
From: dufresne at winternet.com (Ron DuFresne)
Subject: It's not that simple... [Was: Re: Disney Down?]


	[SNIP]

>
> Greg Smith, the county's assessor, recorder and clerk, said "As long
> as we're up (today), we'll be fine"  Greg Smith is a thinking much too
> lightly of the situation.  Their systems just got hit with an exploit
> that allows for remote code execution and elevation of privilege.  If
> I was him, I would be very concerned about data theft, and performing
> network wide audits.
>
> "Yesterday's crash marked the third time in recent weeks that
> significant computer problems have affected county government."  Well,
> enough said about Greg Smith or whoever manages SDC's systems...
>
> Lets take a look at the ISS advisory that makes a respectful analysis
> of the phrase "code execution and elevation of privilege":
>
> "Successful exploitation of this vulnerability could be leveraged to
> gain complete control over target systems, and might lead to malware
> installation, exposure of confidential information, or further network
> compromise. Due to the widespread use of the affected operating
> systems and the critical nature of component affected, it is likely
> that servers and desktops used for a wide variety of purposes are
> vulnerable to this issue."
>
> The initial exploited fault aside, I see no excuse for this.
>
>


Of course you are correct, there is NO excuse for this in any setting,
yet, considering the past ten years of GAO audits and advisories on the
federal side of gvt systems, what makes one think that state and local
county govs would have any better standing?  Part of the problemsis that
govs wish to pay nothing and get everything in return, and are extremely
poor in fetting out raises and tend to pull back emenesly on the benfit
packages, if one can really lable them such.  So, they tend to get "what
they pay for", which in the case of the gov site I work under, is a bunch
of certified idiots that lack the skills to do what they have been tasked
to do.  Their vested interst lies in a "proper pulic presentation,
meaning they don't hire folks that lack a suit and tie, and thus have
missed out in recruiting into their realm persons with the skills to
actually make a difference, if not for the folllowing:  Not to mention
that no one wishes to take responsibility, for that might also task then
to accountability.  I can tell you for a fact that since our unskilled
sec folks where I work won;t go "outside the border"  to discover vulln
info that they did not get a clue about the recent trojan till far after
the fact that many sites had been hit by it.  In fact their announcemnt
came out this AM, from their multi-state vuln/sploit notification council...

There is no excuse for doing below minimum and little excuse for scrapping
along at minimum, with taxpayers footing the bill, but that's life in gov
settings and more so perhaps in state and county govs that lack the
auditing controls like the GAO <smirk>


Thanks,


Ron DuFresne
-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ