Forwarded from: Russell Coker <russell@coker.com.au>
On Thu, 28 Feb 2002 08:19, you wrote:
> Forwarded from: Steve Uhrig <Steve@swssec.com>
>
> > Date: Mon, 25 Feb 2002 08:32:03 -0600
> > From: "Huggins, Michael" <mhhuggins@firstcommand.com>
> > To: 'InfoSec News' <isn@c4i.org>
> > Subject: RE: [ISN] [TSCM-L] Security? Huh!
> >
> > Whenever I see something like this I always want to claim "BS", then I
> > think well how non PC of me this security professional did his job so
> > james bondish maybe uncle sam should hire him.
>
> 99% of my work is for governments. Who does he think hired me to do
> the penetration study? It was a government building. I'm not a
> freelancer. This is what I have been doing for a living for 30 years
> as of this year.
I can't understand why anyone would doubt such a story.
I have just carried a sealed steel box that is opaque to X-rays
through the security of three major world airports. The box is large
enough to fit a 9mm pistol. I was ready to open the box for
inspection (it should have been inspected), but was never asked. At
one of the three airports they asked what was in my bag that was
blocking their X-rays, I told them and they gave it a cursory
examination (but did not look inside), at the other two airports they
didn't even ask! I have had similar experiences in the past with
those three airports.
I would be happy to give a detailed account of the deficiencies in the
airport security systems to any law enforcement agents who wish to
contact me (and can prove their credentials).
But why does anyone expect government security to be so great?
One bank that I used to use stored documents containing names and VISA
card numbers in a place where any tall person could lean over the
counter and read them (they even had pens and note-paper handy if you
wanted to take notes). Also as they were in easy reach a customer
could probably just grab a handful while the teller was elsewhere,
withdrawing >$1000 in cash results in the teller being somewhere else
for a while. Also at another branch of the same bank I was
repremanded for withdrawing $4000 cash without prior notice, I was
instructed to phone them 30 minutes before to allow them to open their
time-delay safe if necessary...
Once with some friends I walked into the back door of a sold-out
concert, we didn't even realise that we'd done anything wrong until
after we were inside - the door was unlocked and there was a bar so we
just walked in and bought some drinks.
A company I used to work for had a server room with a moderate amount
of security. They had guards, doors with signs saying "you will be
sacked immediately if you prop the door open", video surveilance, etc.
The doors were routinely propped open because they didn't give
key-cards to even half the people who worked there, and you would need
a key-card to get to the toilet otherwise. All the big Sun server
machines were mounted in wheeled cabinets and there was a ramp leading
down to the back car park. For a period of a month there was
maintenance work in porgress and the back door was kept open all day
(the guards stayed at the front entrance which was locked and didn't
visit the back entrance - also there was no functional camera covering
the back door). Anyone could have easily rolled $20M of Sun hardware
into a truck and been miles away before anyone noticed.
These are three examples of companies failing to do what is most
important to them regarding security! Banks should prevent fraud and
theft as their highest priority. Night-clubs have their main security
requirement being to keep unwanted people out. Network companies have
their main security requirement being to protect their servers and
infrastructure.
Security sucks everywhere! The overall culture is to know nothing
about security, to distrust people who know about security and want it
improved, and then to think that following a set of rules made up by
management or consultants will make things secure. While this culture
is in place any organization that wants good security will have a
tough battle trying to train their employees properly.
Where is the government going to find people who have experience in
security? Banks, commercial security companies, and night-clubs I
guess. So when the government wants to hire security people the
people who caused those three stuff-ups I described will be on the
applicant list...
--
If you send email to me or to a mailing list that I use which has >4
lines of legalistic junk at the end then you are specifically
authorizing me to do whatever I wish with the message and all other
messages from your domain, by posting the message you agree that your
long legalistic sig is void.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
Received on Fri Mar 1 07:38 CST 2002