[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

wakeup - Re: More hacked servers?

On Thu, 27 Nov 2003, Russell Coker wrote:

> On Thu, 27 Nov 2003 04:51, Matt Zimmerman <mdz@debian.org> wrote:
> > Big money does not imply big security.  Large corporations with lots of
> > money to spend on security are compromised all the time.  Obviously, they
> > aren't as forthcoming about it as Debian due to monetary concerns, but even
> > those incidents which are publicized are enough to demonstrate this.
> You are forgetting one important point.  You have to NOTICE a hack before you 
> can fix it.  Big companies have a bad history of not even knowing that they 
> are hacked if their web page is not defaced.
> One company I worked for had a machine where Apache would SEGV about 10,000 
> times per day.  I expect that you could exploit the system to execute 
> arbitary code, which could then gain access to the internal network.
> In spite of this my colleagues believed that their firewall did everything 
> necessary to protect the internal network.  The network was configured such 
> that anyone who had access to the internal network effectively had root on 
> all machines (there were so many ways of getting root it wasn't funny).
> AFAIK that network is still running in the same manner...

normally, it takes someone having gotten in before managers consider
"that a problem" and will go and fix it ... and allocate $$$ to fix
it taking away their $$$ for other things

bigger the company, worst the budget for fixing things ( if it needs 
fixing ) before it becames an obvious emergency to get it fixed which
is typically 100x more expensive after the fact

maybe a polite question to them would be, i'll get foo-high-school-kiddie
to try to get in ... to get the point across... than they can fix
their firewall and other security process in whatever way they see fit
	( at least its an in-expensive pen-test for them )
	( but get it in writing that its okay to check some
	( exploit tools against their network

c ya

Reply to: