Slashdot Mirror
Stealing Data? A Sniffer Shows it's Easy
museumpeace writes "Though its not exactly a How-To of cracking into financial institutions, a few intriguing details are mentioned in a New York Times article "the Sniffer vs the Cybercrooks" (it's worth the cookie). From the article: ""Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back.....A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets....""
Has anyone from /. / OSTG ever thought about asking NYT for system like the blogger registration-free linking thing?
Just a thought
paul reinheimer
What's cheaper in the mind of a shortsighted executive that can only see ahead to about a three to six month range?
Having you put in jail for threats of terrorism to shut you up about their secrets, or paying the IT guys overtime to fix the holes?
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
People expect thieves to act like thieves. Act like you know what you're doing, and you can walk out with most data.
Another lesson -- put AP mines in your crawlspaces.
Competent people don't get caught.
The key to this is that knowing what he thinks is secret is half the battle to finding it out.
Once the executive told him where to target, that made it much easier. If you're talking about sniffing the entire network output of a company looking for important stuff... that's a much harder task.
I would have been impressed if the CEO didn't tell him what data he thought was most important and he was able to both figure it out and acquire it.
There are sniffer detectors out there, but I'd not want to use SATAN for it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
1. Education
2. Education
and
3. Education
Without education, a junior sysadmin can open ports on your firewall, or run up their own harmless little p2p box in the DMZ.
Users will share their credentials, or choose weak ones.
Someone will find the false positives from the NIDS to be annoying, and route the output to /dev/nul
Removed code will be reinstalled. And so on...
All is in vain without education.
The problem is that companies are run by people, and unless they are technology companies, they don't employe technology-savvy people.
Most people in most companies have a fundamental lack of understanding of what the security risks are and what their nature is, even after you explain it to them.
For any given security risk, high- and mid-level management expect to simply be able to buy one expensive product to fix it (not really even understanding what it means to "buy" a security product in the first place--that's IT's job). They don't even understand that there could possibly be anything more that needs to be done, and it's very difficult to get them to understand this.
And if there is no commercial product that advertises itself specifically as "the fix" to a given security risk, management often refuses to even conceive that the risk might exist, so trapped are they in the worldview that "if there's really a problem, someone will have made a product to fix it; if no-one sells a product to fix it, then it must not actually be a problem."
Things like changing the settings of a product or altering behaviors of employees or the topologies of network are simply beyond their understanding because they just don't have that deep a view of the technology-- the entire corporate network is just a pile of magic products to them and any product will either fix a problem, in which case it's a good product, or it won't, in which case (they believe) they bought the wrong product.
As far as they are capable of understanding, throw some IBM, some Cisco, and some Microsoft all into a cemement mixer and stir, and *boom*, corporate network and you have "instant 21st century!"
STOP . AMERICA . NOW
Tell me the things you most want to keep secret
That, right ther, was the single biggest security breach. By far, the amount of data that is out there is simply too much for a random hacker to grab some data and make a profit from it. He needs to know what data he can use. Professionally data thiefs already know what they want to steal, but they are not the types to simply be stopped by security measures of any kind. If worse comes to worse, he can always just get a job as a janitor, or better yet, a security guard at the place he wants to steal from and flount ALL security measures.
One of the best ways to get someone to tell you how to circumvent the security of their company is to tell them a story of how easy it is to break in and steal stuff from various other companies. They can't help themselves, they are so proud of the security at their company that they tell you all about it.
i tend to agree with education being important, apart from letting them choose their own passwords, since people will always choose crap passwords. i have found the most help thing you can do to enforce security polices is to get the staff on your side. a fun demonstration or something to keep them involved and not feeling like the enemy. often when people instigate security policies staff end up in a them vs you situation. and in that case your going to lose, because insiders will always find a way to thwart the best laid security.
If you mod me down, I will become more powerful than you can imagine....
Big Corps only bother about security if a major shareholder gets upset by a security breach. The chances of a major shareholder getting wind of a security breach are minimal, unless it gets in the media.
Hence most security in Big Corps is to prevent media people getting notice of security breachs.
HTH.
threadeds blog
I don't understand this obsession with open ports. The firewall is a kludge to make up for insecure services that you haven't managed to turn off on machines behind it - if there are no insecure services running, there's no security issue.
Now, I'm not going to argue that you shouldn't have firewalls, because they protect against random idiots turning on services that should be turned off as well as against some OS network stack vulnerabilities, but I can *assure* you that if a competent JR System administrator has decided to open port 16773 on the firewall for some random specific service he'll be running, it's a hell of a lot smaller a security risk than having outgoing port 80 open.
-- The act of censorship is always worse than whatever is being censored. Always.
Don't forget, the cost of hacking a network is a function of the sysadmin's salary and his loyalty to the company.
I'm sick of these assholes submitting stories and not posting regfree NYT links.
Seriously, why NOT post a regfree link? You KNOW damn well they exist, so what the hell is the problem?
Instead of wasting our fucking time by either registering or logging in, you should spend an extra 2 minutes finding the regfree link.
Be a bit more courteous.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!