Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealing Data? A Sniffer Shows it's Easy

Posted by timothy on from the duh dept.

museumpeace writes "Though its not exactly a How-To of cracking into financial institutions, a few intriguing details are mentioned in a New York Times article "the Sniffer vs the Cybercrooks" (it's worth the cookie). From the article: ""Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back.....A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets....""

14 of 206 comments (clear)

  1. BugMeNot by Fermatprime · · Score: 4, Informative

    http://www.bugmenot.com/

    gets you past registration

    --
    I hate the one hundred and twenty character limit for signatures with an all-enveloping, all-destroying, incredible pass
    1. Re:BugMeNot by pyrrhonist · · Score: 4, Informative
      or we can all use this from now on: username AnonymousCoward password password

      No, actually, you can't. The NYT routinely removes accounts that are being used by more than one IP.

      That's why you need to use the bugmenot.com site mentioned above (i.e. logins that no longer work are removed from bugmenot's database). Furthermore, bugmenot works with other sites besides the NYT.

      Also, for Firefox users, you can try the extension.

      --
      Show me on the doll where his noodly appendage touched you.
  2. well by chrisxkelley · · Score: 5, Funny

    just takes ya back to the saying "the most secure server is one that's offline" :)

  3. Good thing...but far from perfect? by deathgeneral · · Score: 5, Interesting

    I think that it's good that we see companies more involved and interested in tightening up their security. Most companies just buy expensive firewalls and other systems to protect their data, but ignore other obvious threats like someone just walking into their offices and sitting down at a unused workstation and browsing around the companies network. Security is multi-layered and a continuous process, that means even if they went through a security audit and everything was ok, they shouldn't stop to improve their security,..there's always a fast-paced race between those who protect and those who will try to pass that protection. Hope this story gives other companies which don't care about security a real reason to make an audit in the very near future.

    1. Re:Good thing...but far from perfect? by Skynyrd · · Score: 4, Interesting

      I used to work for a school district as an IT guy. The ignorant trolls in the personnel department demanded their own locks on the doors (my master wouldn't work) and all sorts of other "special" security.

      Of course when I went to work on their machines, they would have their passwords on post-it notes on the keyboard.

      On more than one occasion, somebody would yell "hey Cindy, I need to use the blah blah system; what's the password". Cindy would yell it back to them - during business hours with lots of extra people in the room.

      Lock your network all you want, but if you hire idiots or people who don't care, it's an easy wasy to lose.

    2. Re:Good thing...but far from perfect? by aussersterne · · Score: 4, Insightful

      The problem is that companies are run by people, and unless they are technology companies, they don't employe technology-savvy people.

      Most people in most companies have a fundamental lack of understanding of what the security risks are and what their nature is, even after you explain it to them.

      For any given security risk, high- and mid-level management expect to simply be able to buy one expensive product to fix it (not really even understanding what it means to "buy" a security product in the first place--that's IT's job). They don't even understand that there could possibly be anything more that needs to be done, and it's very difficult to get them to understand this.

      And if there is no commercial product that advertises itself specifically as "the fix" to a given security risk, management often refuses to even conceive that the risk might exist, so trapped are they in the worldview that "if there's really a problem, someone will have made a product to fix it; if no-one sells a product to fix it, then it must not actually be a problem."

      Things like changing the settings of a product or altering behaviors of employees or the topologies of network are simply beyond their understanding because they just don't have that deep a view of the technology-- the entire corporate network is just a pile of magic products to them and any product will either fix a problem, in which case it's a good product, or it won't, in which case (they believe) they bought the wrong product.

      As far as they are capable of understanding, throw some IBM, some Cisco, and some Microsoft all into a cemement mixer and stir, and *boom*, corporate network and you have "instant 21st century!"

      --
      STOP . AMERICA . NOW
  4. The most secure server by AtariAmarok · · Score: 5, Funny
    "just takes ya back to the saying "the most secure server is one that's offline" :)"

    The most secure server is first locked, then secured with a Kryptonite lock. After this, some real Kryptonite is attached to it (remember, it is never secure as long as Superman can bust into it). After this, it is encased in carbonite with a scarecrow wearing a Jar Jar Binks mask. The entire assembly is left in Jabba's palace. Don't worry, no one's gonna even be thinking of approaching the thing to rescue Jar Jar.

    Just in case anyone does, we have an "I Love the Bee Gees" bumper sticker on the side. Also, we've moved it to a position standing right behind Jabba's toilet. I dare you to approach it.

    --
    Don't blame Durga. I voted for Centauri.
    1. Re:The most secure server by theonetruekeebler · · Score: 4, Funny
      first locked, then secured with a Kryptonite lock

      You mean the ones you can unlock with a Bic pen?

      we have an "I Love the Bee Gees" bumper sticker on the side.

      Thereby guaranteeing it will be blown up by an anti-disco activist---as in "If we don't blow up this server, the disco Taliban will have won."

      Clearly, the best way to protect the server is to put it in a large bucket, then to pour molten titanium into the bucket. Then encase it in carbonite.

      --
      This is not my sandwich.
  5. nice by Renraku · · Score: 4, Insightful

    What's cheaper in the mind of a shortsighted executive that can only see ahead to about a three to six month range?

    Having you put in jail for threats of terrorism to shut you up about their secrets, or paying the IT guys overtime to fix the holes?

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
  6. Basic Security Lesson: by DingerX · · Score: 4, Insightful

    People expect thieves to act like thieves. Act like you know what you're doing, and you can walk out with most data.

    Another lesson -- put AP mines in your crawlspaces.

  7. Reg Free by Anti_Climax · · Score: 4, Informative

    Paste this link into google and click through for a single page version

    http://www.nytimes.com/2005/07/31/business/yourmon ey/31hack.html?pagewanted=all

    no reg required

    --
    Even people that believe in pre-destiny look both ways before crossing the street.
  8. It is very easy by Anonymous Coward · · Score: 5, Interesting

    During my career, I have worked as a tech break/fix. I have worked for a university, federal govt, and private sector.

    Due to the nature of the job it is difficult to get passes or keys to move around immediately, especially into secure areas. So you put on your charm and off you go.

    It is very easy to take things. Just look like you know what you are doing and where you are going.

    Be presentable and nice, be friendly with the receptionists/secretaries/admin, and you can go anywhere.

    I have been let into computer rooms that are supposedly secure, I have been assisted by security guards in loading computer gear into my car, I have had secretaries hold doors on elevators so I could get stuff in. I'm talking thousands upon thousands of $$$ worth of stuff. All of them took my word for it, never questioning or phoning to find out. I have never had to show ID.

    I have actually had one employee of a major oil corporation watch me follow him in through the doors, ask me, "Where are you going? Who are you?"
    This was going into their engineering areas, from which I'm sure numerous other oil companies would love to see the data.

    I replied that I am a computer tech and visting XXXXXXX. "Who? Are they on this floor?" "Yeah, they are, around the corner." (I really only had an office number ;-) "Oh, ok. You look honest." He actually told me I looked honest, so it was ok! From there I found the office I wanted, no one was there. I was to swap out a couple of hard disks, so I did. Many people poked their head in, joking along the way, "Hey! You don't look like XXXXXXXX! Unless he's shrunk! hahaha!" One even to see "what does a hard disk look like?" No one questioned me from there.

    Many, too many to count, I have just knocked on the door and asked for Mr. S.A.S. "Oh, I'm here to take a look at his computer, he said it wasn't working. Can I see it?" Then they lead me to the office, in which Mr. S.A.S. isn't there. "Well, I'll just start and he'll come back and I'll let him know. Thanks." Then they leave.

    It doesn't matter how secure it is, like the article points out, being sociable gets you lots of open doors.

    Crazy part is that I pride myself on this "talent." It's much simpler to talk your way through than to have to run all over getting ok's and escorts into areas.

  9. Good points by jd · · Score: 4, Interesting
    I'd consider security as being essentially split into the following layers:


    • Stopping intruders getting onto the network in the first place (firewall, limited use of public IP addresses, etc)
    • Stopping users on the network from accessing machines they shouldn't (ie: strong user authentication, eg: Kerberos)
    • Stopping machines on the network from accessing other machines they shouldn't (ie: strong host authentication)
    • Stopping sniffers and vulnerability scanners by using encrypted network traffic (eg: IPSec, Sun SKIP, or something similar)
    • Removing code that has known exploits, to prevent the bypassing of any of the above
    • Using Active NIDS to detect attempts to break the security


    In practice, almost no organization is going to install all of the above. Even the US Government, which is not short of ready cash, is getting far poorer grades on their network security audits than they should.


    However, if you define the "target" or "ideal" security schema, then you have something you can compare against. IMHO, the above description is the "ideal", in that it is unlikely that anyone would be able to break in using technological methods.


    The remaining problem - social engineering - is not something you can program against. The description I outlined, if implemented in full, would provide enough checks and counter-checks to require someone using social engineering to get past several people, which raises the bar a little but does not make it hard enough.


    ("Hard Enough" is defined here as making it an impractical method for typical IT situations.)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:Good points by Hal9000_sn3 · · Score: 5, Insightful
      You seem to have left out the three most important things.

      1. Education

      2. Education

      and

      3. Education

      Without education, a junior sysadmin can open ports on your firewall, or run up their own harmless little p2p box in the DMZ.

      Users will share their credentials, or choose weak ones.

      Someone will find the false positives from the NIDS to be annoying, and route the output to /dev/nul

      Removed code will be reinstalled. And so on...

      All is in vain without education.