lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4471C349.6060201@haveyoubeentested.org>
Date: Mon May 22 14:58:08 2006
From: sol at haveyoubeentested.org (Sol Invictus)
Subject: Responsibility

Paul Schmehl wrote:

> --On May 22, 2006 8:05:47 AM +1000 Greg 
> <full-disclosure3@...andyman.com.au> wrote:
>
>> Large motel/hotel chain I recently acquired wants to sue previous 
>> company
>> who did their I.T. work for them as a customer's wifi connected machine
>> infected their network and caused loss of booking data thus money.
>>
>> My question then is - if you have done the utmost to lock down your
>> customer but someone connects an infected machine and somehow it gets 
>> in,
>> is the customer right in suing you?
>
>
> There's way too many unanswered questions here to provide an 
> intelligent answer.
>
> 1) What was the nature of the virus?  New and undetected?  Or old and 
> well known?
> 2) What was the status of patching?  Current?  Or way behind?
> 3) What was the response to the infection?  Rapid and effective?  Or 
> slow and ineffective?
> 4) Where the critical assets protected from the rest of the network?  
> Or exposed?
> 5) What was the nature of the security effort?  Organized and focused? 
> Disorganized and unfocused?
>
> Those are just some starting questions.  You would need to know much 
> more to accurately assess the culpability of the previous company.

Responses to previous Questions.

1) This is Moot.  When designing a "public" network you must always 
assume that these are the worst possible machines that are accessing the 
network.  The design must reflect and prepare for this.
2.)  Good question.  I would add... What does their policy state about 
patching?
3.)  I would add, how soon after infection was it discovered?
4.)  to add here... Were the critical assets DoS'd by this or infected 
themselves?
5.)  Great generic question.. The answer to this would lead to many more 
questions.

More Questions

1) What was the scope of the original project?
2) Did the IT consultant raise the issues that are now rearing their 
Ugly head?  If so, what and who made a decision?
3) Who's decision was it to put the customers on the same network as the 
Hotel itself?  (This is the person that should be held responsible for 
this.)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ