wakeup - Re: More hacked servers?
On Thu, 27 Nov 2003, Russell Coker wrote:
> On Thu, 27 Nov 2003 04:51, Matt Zimmerman <mdz@debian.org> wrote:
> > Big money does not imply big security. Large corporations with lots of
> > money to spend on security are compromised all the time. Obviously, they
> > aren't as forthcoming about it as Debian due to monetary concerns, but even
> > those incidents which are publicized are enough to demonstrate this.
>
> You are forgetting one important point. You have to NOTICE a hack before you
> can fix it. Big companies have a bad history of not even knowing that they
> are hacked if their web page is not defaced.
>
> One company I worked for had a machine where Apache would SEGV about 10,000
> times per day. I expect that you could exploit the system to execute
> arbitary code, which could then gain access to the internal network.
>
> In spite of this my colleagues believed that their firewall did everything
> necessary to protect the internal network. The network was configured such
> that anyone who had access to the internal network effectively had root on
> all machines (there were so many ways of getting root it wasn't funny).
>
> AFAIK that network is still running in the same manner...
normally, it takes someone having gotten in before managers consider
"that a problem" and will go and fix it ... and allocate $$$ to fix
it taking away their $$$ for other things
bigger the company, worst the budget for fixing things ( if it needs
fixing ) before it becames an obvious emergency to get it fixed which
is typically 100x more expensive after the fact
maybe a polite question to them would be, i'll get foo-high-school-kiddie
to try to get in ... to get the point across... than they can fix
their firewall and other security process in whatever way they see fit
( at least its an in-expensive pen-test for them )
( but get it in writing that its okay to check some
( exploit tools against their network
c ya
alvin
Reply to: