Slashdot Mirror
Is it Just Me, Or Is Our Mainframe Missing?
xnuandax writes "Here's a salient lesson for those system security personnel who spend their time fretting over the theoretical crack-ability of their 1024 bit encryption keys. Australian Customs have recently suffered a rather unfortunate set back in their "War Against Terror" with the admission that two of their secure mainframe servers have been wheeled out of the building by persons unknown. I'll bet my $2 that the root password on those boxes was 'trustno1'."
yeah, that's unfortunate, but i'm sure that the fault lies with their security gaurd not the admin's
Let this be a lesson...
When you're caught being grossly negligent and incompetant, blame terrorists.
Simple security procedures.
Didn't anyone learn anything from losers like Kevin Mitnick?
Deography Photoblog
As the article states, they were likely after information, not hardware. It's likely that hardware will be destroyed after the info is sucked off of it.
Read the article. It states that the theives were likely after information instead of hardware. The value of the hardware is nothing compared to the information that *might* be on the servers.
This just reminds us what the greatest risks are to any secure system: social engineering and inside men. If you look authoritative and dress up in a serviceman's outfit, very few people will question your actions. You can steal furniture, computers, machinery, tools, whatever by just looking important. By imporsonating a sysadmin on the phone, you can easily talk passwords out of gullible people. With a fake service order "signed" by the right people, the odds are endless.
On the same note, people inside an organization are often responsible for hacks, stolen information, and other things since they have the keys already!
It just goes to show the weakest portion of any system is the people.
Dunno if this is a troll but...
Australia sent SAS troops to Afghanistan and Iraq.
We were targeted by Jamaar Islamir in the Bali Bombing.
Yeah, it's probable Australia is a potential target for terrorists...
Tempus fugit sub anesthesia.
The Australian Customs Service has admitted the security blunder, but told customs officers in an email that no sensitive operational information was lost.
As we can see it's a well-planned action, and there's almost no way to sell the two mainframe for good profit. The major cost center of a mainframe lies mainly in the operational and maintanence, which are not applicable to stolen hardware.
Obviously, their target is the data within. If the authority do not start investigating what information the thieves are looking for and the possible use of the information within the stolen hw, the consequence might be very serious.
No more official BS. Do something before too late.
The Community and Public Sector Union, which represents customs officers, has asked for guarantees that none of its members is at risk as a result of the theft.
They've got to be kidding.
IMHO there should be some investigation into this level of incompetence. Procedures should be in place and followed. If procedures were followed, the person responsible for security (and the procedures) should be put out on their arse with zero chance of another job in security. If procedures weren't followed, the staff that didn't follow them should get their arses kicked.
To know that you know what you know, and that you do not know what you do not know, that is true wisdom. --Scooby Doo
If, as described, they were actual mainframes, the Customs people's statement that no sensitive info was lost/stolen might not be too far from the truth. In servers & other high end systems, it's not uncommon for the hard drives in the computer to contain only the OS & applications. The data used/created by the applications would be on a RAID attached to the computer. If that was the setup of the systems, the only actual data would system passwords and possibly temp data currently in use at the time of shutdown.
If, however, one or more of the systems was a RAID or some such data storage system, then the Custom's people are (as expected) lying through their teeth. The next question would be whether or not some form of encryption was in use (fs or application level).
OK to quote from the article:
After supplying false names and signatures, they were given access to the top-security mainframe room. They knew the room's location and no directions were needed.
Inside, they spent two hours disconnecting two computers, which they put on trolleys and wheeled out of the room, past the security desk, into the lift and out of the building.
Nowhere does it say that two mainframe computers left the building, only that tey got access tothe mainframe room. All the mainframes I ever worked on had their own wheels they were so big.
This is just typical lazy and/or sensational reporting by the original journalist.
Someone should read these before they get posted here. The Story is about lax access for the computer room - not about mainframes being stolen.
"TOO MANY CASTERS" (referring to how they wheeled the servers out?)
or did you mean SETEC ASTRONOMY?
to access your data, I have to know your publicly available ID and I have to have access to the phone in your (unlocked) cubicle.
How well does your company pay their cleaning/janitorial staff? Suppose a coworker went into your cubicle and called IT from your phone -- how would security find out who did it?
I would assume that they would need to see your ID (as well as you) before resetting your password. If that is too burdensome, then have a system in which you contact your manager or HR. One of these can then log in through a secure connection and file a password reset request with your ID to the remote IT support site. The fact that they are logged in (with their password) at least ensures there is a starting point for an audit, and the odds of impersonation are less likely.
When in doubt, have a man come through a door with a gun in his hand.
Like for ages IBM's mainframes has a standard privileged technician account with the password "musigate", very useful when some BOFH expired my accounts. Ooops, you mean it's still musigate now?
Oracle's default SYS password is change_on_install. You'd be surprised at how many people will type that every day, and not change it.
The article "states" that, but how does anyone know? The thieves didn't give any interviews.
When you've eliminated the impossible, what remains, no matter how improbable, must be the truth. So...
I'd say the repo guys had access to a fully functioning matter transporter.
The only reason why waiters are an angry bunch is because they're such losers.
Slow down there, you just insulted several million americans. Did you know that in some states in the US like Florida and Ohio, federal minimum wage doesn't apply? They are paid just over $2 per hour. If they weren't tipped, they would walk home with almost nothing.
They're just doing their job, I guess you don't tip Taxi cab drivers either? The gratuity is for going above and beyond doing their job. I could just bring a person a drink and their food and probably get by with saying 20 words or less. Isn't it nice to go out to a restaurant and get nice service, someone who will help guide you through the menu while being friendly and courteous? Most people around here seem to agree with me, as 9 out of 10 people tip 10% or more on the price of their meal.
Maybe you just don't understand the value of appreciation.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
Oh,
that sounds like a place I worked once. The DBA and I were joking that we could just roll out the main database server and put something cheap like a desktop PC in the backend, nobody would know, because besides him and me none knew what we were doing nor on what hardware.
If you want to e-mail me, use my PGP Key.
They presented themselves to the security desk as technicians sent by Electronic Data Systems, the outsourced customs computer services provider which regularly sends people to work on computers after normal office hours.
Another reason you should be damn careful about how you outsource, who you outsource with, and the security involved. People need to know who they're really dealing with and how to check.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
I had to visit the data center for a major financial center in Jersey City, NJ shortly after WTC. (A lot of the big iron is across the river from Manhattan... for price reasons more than security) Because of the sudden lack of available downtown office space, every available empty space in Jersey City was suddenly rented out.
So... I walked into see my customer. I was surprised a the new security in place. I showed my company badge, signed in, and was lead to a desk under a sign marked "High Value Transactions". Plopped me right down in front of a terminal. I was really confused. The setup was totally different than what I was expecting from previous visits. So I started looking around for people I knew, etc... After about 10 minutes I realized I was in the data center for the WRONG company!
So I got up and left. I have no idea how long I could have stayed there, or what I could have done. I suspect that if I had gotten out a screwdriver, I could have likely started shopping for hardware.
Moral of the story: chaos breeds insecurity, and an "official" plastic badge with your picture on it is shockingly powerful.
As one who lives in Central Europe (funny how we used to be called Eastern Europe, then were somehow moved westward!), I wish this would stop. It's not tipping, it's plain corruption. Physicians at all levels expect bribes, they actually come up to you and demand money explicitly - try not to pay when the guy is taking care of your wife who's about to give birth. (Didn't happen to me; did happen to someone in the family.)
But it sure as hell isn't a tradition or custom to be respected, it's a corrupt practice and people should rot in jail for it. DON'T bribe doctors if you can get away with it, it only encourages this. Or pay the bribe if the bastard demands one, then IMMEDIATELY report him to the cops. Here in Poland at least, there's a new law that says if you do this, they bust his ass and you're clean.
"Only the small secrets need to be protected. The big ones are kept secret by public incredulity." - Marshall McLuhan
When I was in college I worked for the computer lab. One day we set out to upgrade all the PCs. What we had to do first was get the old ones out of the way. We backed an unmarked white van up to the computer lab, opened the doors to the lab, and started taking the machines. It was during a school day. Students and faculty were walking by watching us. Occasionally one would even lend a hand (hold a door open a bit more, pick up a dropped mouse, etc... ) No one questioned us. Not even the student worker running the lab. We had not even made conversation with the worker during the entire time. After we loaded up the 20+ PCs and headed out our boss decided to call the lab and 'warn them against people stealing PCs'. The worker freaked! He said he was there when it was happening but since "they looked like they knew what they were doing so I didn't question them." The boss then let him in on the real story.
The key: just look like you know what you are doing.
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
Ok steps to getting out of your parents house
1. Tell them that you want to move out, ask for no money at this time.
2. Fill out your FAFSA, and apply for a college in your area.
3. Go to said college once excepted, tell them you are interested in Federal Work Study and anything else they have. If you work for most colleges, tuition and sometimes limited housing for TA's is free. (BTW, I am a TA telling you this.)
4. You do not need a car!!! A car will bankrupt you as a first time independent student if you are just starting out. So learn to use the Bus, subway, and cute girls for rides. You would be surprised at how easy it is to ask for a ride from a girl compared to a date, and with colleges being designated promiscous zones how often you will end up at least being allowed to make a pass at one of them. You will still be expected to initiate verbiage just read the subtle clues like pulling up of shirt to show belly, mindlessly touching her hips, etc.
5. Once you get your financial aid pay for 3-4 months of rent!! Do not fuck up man, your parents are not piggy banks.
6. Get a real job like taco bell if you have to. Pride = Broke ass motherfucker | Humility = Above poverty-line minimium wage warrior
An Education is the Font of All Liberty
"Many restraunts do that. You work, you get $2.25/hr (or whatever the boss is nice enough to pay you). So in most places, the staff are very dependant on your tips."
I've never been able to resolve this for one second with the notion of a Federal Minimum Wage.
Period. It's been explained to me, and I understand the economics, but I can't deal with it. Either there is a Federal Minimum Wage or there isn't.
Because restaurant people don't have to be paid the same minimum as any other labor, I am forced to conclude that "there isn't".
-fb Everything not expressly forbidden is now mandatory.