Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealing Data? A Sniffer Shows it's Easy

Posted by timothy on from the duh dept.

museumpeace writes "Though its not exactly a How-To of cracking into financial institutions, a few intriguing details are mentioned in a New York Times article "the Sniffer vs the Cybercrooks" (it's worth the cookie). From the article: ""Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back.....A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets....""

4 of 206 comments (clear)

  1. nice by Renraku · · Score: 4, Insightful

    What's cheaper in the mind of a shortsighted executive that can only see ahead to about a three to six month range?

    Having you put in jail for threats of terrorism to shut you up about their secrets, or paying the IT guys overtime to fix the holes?

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
  2. Basic Security Lesson: by DingerX · · Score: 4, Insightful

    People expect thieves to act like thieves. Act like you know what you're doing, and you can walk out with most data.

    Another lesson -- put AP mines in your crawlspaces.

  3. Re:Good points by Hal9000_sn3 · · Score: 5, Insightful
    You seem to have left out the three most important things.

    1. Education

    2. Education

    and

    3. Education

    Without education, a junior sysadmin can open ports on your firewall, or run up their own harmless little p2p box in the DMZ.

    Users will share their credentials, or choose weak ones.

    Someone will find the false positives from the NIDS to be annoying, and route the output to /dev/nul

    Removed code will be reinstalled. And so on...

    All is in vain without education.

  4. Re:Good thing...but far from perfect? by aussersterne · · Score: 4, Insightful

    The problem is that companies are run by people, and unless they are technology companies, they don't employe technology-savvy people.

    Most people in most companies have a fundamental lack of understanding of what the security risks are and what their nature is, even after you explain it to them.

    For any given security risk, high- and mid-level management expect to simply be able to buy one expensive product to fix it (not really even understanding what it means to "buy" a security product in the first place--that's IT's job). They don't even understand that there could possibly be anything more that needs to be done, and it's very difficult to get them to understand this.

    And if there is no commercial product that advertises itself specifically as "the fix" to a given security risk, management often refuses to even conceive that the risk might exist, so trapped are they in the worldview that "if there's really a problem, someone will have made a product to fix it; if no-one sells a product to fix it, then it must not actually be a problem."

    Things like changing the settings of a product or altering behaviors of employees or the topologies of network are simply beyond their understanding because they just don't have that deep a view of the technology-- the entire corporate network is just a pile of magic products to them and any product will either fix a problem, in which case it's a good product, or it won't, in which case (they believe) they bought the wrong product.

    As far as they are capable of understanding, throw some IBM, some Cisco, and some Microsoft all into a cemement mixer and stir, and *boom*, corporate network and you have "instant 21st century!"

    --
    STOP . AMERICA . NOW