I recently founded a services company (rivertechnologies net) - here's my $.02 based on my personal experiences, in no particular order. As a point of reference my BG is in distributed systems development, integration, security, proj. mgmt, etc.
Pick your target market carefully. Don't limit yourself to any one vertical, but don't use rand() to pick a company out of the yellow pages either! Our clients are primarily in banking, which works well for us, because (a) we know the business from the IT POV, (b) banks are always going to be in business as a pillar of the economy and (c) non IT companies are always looking to outsource non-core, revenue-generating activities, e.g. systems integration & development. The catch is to make sure that the services you can provide are ones that aren't 'disposable'...a lot of trends come and go, but the CIO will always have 20 things on their to-do list that they HAVE to get done. Prove to them that you can get it done, do it a few times, and now you have a valuable service.
Develop a business plan. Go to inc.com and read up on their material. Find 5 people who did what you want to do and were successful, and talk to them. Then talk to 5 others who weren't. Consider how you plan on funding yourself. Bootstrapping a firm puts things in perspective - if it doesn't make us $, and it costs $, and we don't need it, then we don't do it. No Aeron chairs and 21" TFTs here, at least for now;)
Consider your competitors. You are essentially looking to start what I would refer to as a commodity service - S/W eng, security services, systems integration, etc. is a highly saturated market. Everyone can find 10 decent 1099'ers who can do that, and there are slews of companies who do it very well, and are HUGE. The catch here is to develop your core offering(s) to appeal to your target market because there is something about you that makes you 'different'. I don't mean in a BS kind of way either...there has to be something about you and your s/w firm that will compel someone to say, "I don't want to send this job to India, because these guys: know my business/have expertise here/add value in some other way, etc."
How hard are you willing to work? Did you say 80h a week? OK good! If you are not willing to give 110%, then I wouldn't do it. If you have a wife/kids, or other commitments, talk it over with them first. Being successful at work doesn't mean much if your kids forget what you look like!
Consider your sales cycle. How long does it take to generate revenue based on your business model? How much $$$ runway do you have? Consider how long it will take you to get the business up & running before you can actually start selling yourselves.
Learn to think like the anti-Christ (a sales-person). Unless you are going to hire a sales manager you can trust, you will have to be well-versed in the sales cycle, and how to effectively sell your services in the timeframe that you have to work with. I would recommend two excellent books here: "The New Strategic Selling" by Heiman & Sanchez, and "Selling to VITO" by Anthony Parinello. (the 2nd book is great but clearly the guy is an egotistical dickhead who thinks techies are peons who get in his way.) If you don't have the stomach to sell to people, then you aren't going to do very well, unless you can convince 100 people to bang down your door asking for your svcs.
When you get all caught up in the non propeller-head activities in running an IT firm, you have to make sure you can stay current with industry trends, what is going on with your target market, and so forth. It is a catch-22 at times, as skills alone won't make your business grow, but if you can't deliver, than you surely won't grow.
Make sure you have 100% faith in your partners. Make sure they can contribute as much as you can; if they can't make sure the partnership is arranged accordingly. Have some philosophical discussions, and make sure that you guys are on the same page. Does he want to grow into a $10M company, and you will be happy with $100K a year and the company car? This can lead to some sticky issues if you are not both on the same page.
So far this has been undoubtedly the most gratifying professional thing I have done, and even if we closed shop up tomorrow, I feel as though it has enabled me to grow unlike any other gig I have done before.
A Vendor-specific solution, but works great
on
Cheap KVM Over IP?
·
· Score: 1
If you have the option of picking a particular piece of hardware, Compaq/HP has the Compaq remote insight board.
This is a full computer on a PCI card, which has its own power feed with battery backup, 1 Ethernet IF, an optional 56K modem, and full hardware-level access to the input keyboard/mouse and video display.
The card runs a propriatary OS, and includes telnet and SSL-based access supporting full console UI through a basic, Java-enabled browser.
I don't know as if it will run in non-server class box3n, but I just picked up a Proliant 330 that at about $1k, is for all intents and purposes a really a basic x86 with server class chassis layout, etc.
This is interesting news. It is a loss to the security community at large, since securityfocus was such a great resource, although once they went commercial it lost a lot of its appeal to me.
Symantec is really positioning itself to be the M$ of security here. About 8 months ago, I was at a meeting with some of their top Sales and Product Dev. folks, and they presented their offerings roadmap. It included an appliance which would:
Serve as a FW/VPN
Act as a network IDS
Serve as a management console for Host IDS
Act as the A/V Manager Because they have agents installed on every machine when you run Intruder Alert, NAV, or other tools, it would allow them to sync up the status of a host, network, etc. with the mothership at Symantec-Focus, and determine in real-time what devices are vulnerable. This is kind of cool in concept but not easy in execution.
My concern is that they already have bought other products, which are completely jacked up and are still not fixed. I spent my Thanksgiving morning last year doing a disaster recovery on a Symantec Intruder Alert System...what a mess that product is...where is the high availability, the fault tolerance, etc.? Again...cool concept, crappy execution.
This merger puts Symantec in direct competion with folks like eSecurityOnline, and I can tell you that for people already in bed with Symantec who have legal obligations to stay on top of vulnerabilities (e.g. Banks) this makes it a one stop shop for them.
I see it as a conflict of interest. They should buy a couple of pen-test companies while they're at it and they can even validate their product implementations are secure;)
My little (24 y/o) brother is a federal employee from Boston. He works for the Department of Energy, and was down in DC for work this week.
When I heard about the attack in DC I immediately freaked out. I tried calling his cell phone, only to find the cell switches flooded. I could only hope he was not near the Pentagon.
My mother finally did get in touch with him. He basically was told to evacuate the office, which was next to the Capital, and to go home. Unfortunately for him "home" was a hotel across from the Capital building.
He did call later with an update, he managed to take a train out of town and had to walk a long while to reach Georgetown U. He told mom that it was a completely surreal experience, with crowds running and walking aimlessly, while jet fighters were looming above.
I never was so scared for anyone's safety. Ironically, this AM my brother was in a seminar in public speaking and dealing with anxiety. I guess they picked the wrong day to run that class:/
My warmest wishes and prayers go out to those less fortunate.
A post mortem of the FBI's actions, please.
on
Adobe Backs Down
·
· Score: 1
Some type of review should be conducted to assess the actions of Adobe, the U.S. Government, and Dmitry. (but not U.S. v Dmitry) I suspect that the result of such a post mortem on the incident would yield the following:
a) The guy did not break any law based on the events in question.
b) The FBI demonstrated legal and technical ineptitude by arresting an individual for something that does not violate the law he was charged with breaking; nor was his work a violation of the DCMA.
c) The Atty. General demonstrated legal ineptitude by agreeing to prosecute someone even though the circumstances include the 2 points above.
IMHO, the only reason it went down the way it did was because everyone had a stake in it:
-> Abode's case could have yielded set some nasty case law, if not been the catalyst for the "Adobe Act of 2001" or some other type of ludicrous legislation which basically makes all (white hat) hackers heretics to be burned @ the FBI's stake.
-> Dmitry wanted to show ppl that ROT-13 encryption is probably not as secure as most ppl are led to believe, and if ppl knew what it was all about, and how easily it was defeated, ppl would choose another encryption solution (or *maybe* Adobe would jack it up a notch:)
-> The FBI wants to kick ass at Defcon. Hey if I was that poor fed that got flamed during spot the Fed on Friday AM in the Uber Haxor conf. (the one that looked like a fat John Denver and was wearing a Defcon 5 shirt that wasn't even faded, *and* was ironed) I would be a bit feisty too;)
I am glad to see that Adobe took the action it did. I hope Dmitry will find himself on the right side of the jailhouse door soon.
I would be hard pressed to imagine that these people are truly needy to the extent that if they had no charity/shelter to take them in, they'd be unable to provide the basic needs of every human, food, shelter, etc.
There are people who have more legitimate needs, i.e. metally challenged, substance abuse, etc. which makes it much harder if not impossible to live in an independent fashion. I am not trying to defend the more conventional types who take advantage of welfare services (i.e. lazy/drunks, etc.) However, it seems even more perverse that able-bodied persons, who were only recently considered responsible enough to help build multi-million dollar corporations, would go and milk the system for free room and board, etc.
When pride isn't and issue, necessity becomes the mother of invention when times get tough...these guys could get jobs for sure. Instead of serving up some ASP files, they should try serving up some food as a waiter, or maybe they could parse orders at the register instead of parsing parameters;)
Maybe they could make money by authoring books about their turbulent carrer and lifestyles. Perhaps the book can read something like:
"Once I was paid $100K to 'think out of the box'; now I just live in one"
Seriously, I am sending the orignal article to my friends because I really get a laugh out of how foolish the whole thing is.
BTW: I am a young tech/geek/prof. and after reading about those fools, I am going to take a good hard look on how to make sure I don't become one of them. (Maybe picking up a new BMW should be put on the back-burner after all)
I work with NT all day, and I am charged with securing some pretty important installs. From my modest time doing what I do (~1 yr doing security) I can say this: NT can be secured, and it can be secured pretty well. However, the problem is that to secure it and maintain security is *way* too time consuming.
I can lock down an NT4/5 system pretty well, I can apply all of my MS hotfixes and good 'ol SP6a, and I can even dig into the ASP code and check for application level bugs. When I am done I can hook it into a net running a nice IDS, and be sure the routers/FWs are doing their part. And, I can be pretty confident that I will have rolled out a system that will be less than an easy target for the l33t kiddies.
However...I can say that maintaining a state of security is a complete cluster@!#$ in MS land. It is this way because to harden an NT/IIS 4 box it takes litereally about 80 patches on top of SP6a. Plus, you have to ensure that after every hotfix you haven't caused your application to crap out.
On top of that, there is always the underlying "whatif" on if a patch from MS is 100% effective. For example, you can lock out the Unicode bug, and the ol/msadc/..%e0%80%af../ string will die, but then some guy on securityfocus.com pen-test will insist he got a patched box with the vuln. Kinda scary, no?
Then, MS doesn't help things by not creating an SP7. As a result, instead of doing 1 patch I have to do 80 reboots. It is pretty clear they are doing this to drum up sales of NT 5. I mean after all, if they properly supported NT 4, MS would clearly go out of business. (not)
I am still a young grasshopper in terms of Linux know-how, but I have seen enough to know that a out of the box RH install can be rooted just like NT. I think the problem with NT security is that everybody and their mother knows NT, the hacks and scripts are idiot proof, and the exploits are easily discovered (both as exploits and how to use them). For example, any jackass can find a Unicode bugged IIS box, upload hk.exe and nc.exe, DL the SAM, etc. However, if the admin was any good, they would have done lots of things to prevent such exploits from happening.
If hacking NT required busting out the C compiler, building kernels, or anything else that requires actual understanding of computers, I bet you'd see a lot less 'l33t' NT crackers.
So, I think that when people talk about how NT security sucks, they should also think about how the admins who secure those boxes are responsible, and how the tools available to hack NT are for ages 6 and up. NT can be secured, albeit a complete PITA to do/maintain.
Often systems are put in production with all default services running because "the firewall will take care of that."
Putting stock in just one security control is foolish. At my operation, we do things like use router ACL's to supplement FW rules; if someone DOSes the FW, or it dies of 'natural' causes, the routers, and other lines of security will still exist.
There should be some sort of government or other standard that the banks must adhere to, perhaps required simply to operate. If they screw up, they should be fined, and this can be used to pay down the debt, or social programs or something.
There is a goverment control...it's a little adminstrative office called the FDIC. If we do screw up, we are fined. A fine is actually moderate, with a 'write-up' being light, and shutting off the lights and locking the doors to the branch offices as 'severe'. Don't think it won't happen to the banks' online banking systems that are affected.
What we need is an open infrastructure supporting real anonymous e-cash. Once we have this the banks will all be out of business.
You will have to keep your "e-money" someplace...most likely an e-bank;) We are never going out of business, BTW, Which is good because it keeps me employed:)
I work within the eCommerce group of a bank who is a direct competitor to one of the victims, Soverign Bank. I am a systems integrator and I do much of the security work at the systems/app level on our eCommerce systems.
I am not suprised to read what the Brit got for info (although I am suprised he got it within minutes, unless he knows the online banking backend software)
Any bank worth doing business with will have many controls in place to ensure that financial institutions are taking the correct precautions needed to safeguard their customers. These controls include internal and FDIC audits, external attack and penetration tests against systems, and curious/nosey/tinkering staff like myself:)
Any organization which runs an eCommerce system without contracting a highly reputed firm to do an attack/penetration test is completey crazy! (and out of FDIC compliance too) I *highly* doubt that the firms in question had taken the time to do this.
I coordinate a/p tests within my company, and these guys we hire will try to find *anything* that is remotely considered a security hole, ranging from things like Public communites for SNMP on a router to last logged in user is displayed on console in NT.
Beware however, I have worked with some reputed firms who sent me people who couldn't break out of a brown paper bag, let alone crash my firewall to hop thru the VLAN and into my host systems! Also another problem: many vulnerablities are never exposed during these tests, as they require doing things like dDOS attacks against firewalls, etc, and cannot be done in a feasible manner.
Here are some of the major problems with many banks today:
1) Shitty technology: Sometimes banks buy apps for reasons other than they work well, are secure, etc. i.e. everyone else runs it, so we need to as well (a'la M$)
2) Time to market too aggressive: Aggressive growth, mergers, etc. dictate that we have every bell and whistle available on the systems side. This means that we end up with too much work to do in too little time. Things like proper systems design, security planning, etc. suffer because some jackass project mgr. can't fit it into his M$ project file, or the budget can't fit in a $30,000 attack/penetration test. If banks want to grow fast, they need to gear up with people and money to match!
3) Horseshit outsource providers: I am sure that this app that was hosed by the Brit has some components outside of the actual banks that were victimized. I can tell you first hand that many of these providers, i.e. BBN, AT&T, etc. are not nearly what they claim to be. They claim they are a high availablity, fully secured operation. I have seen firsthand such idiotic things as: open remote control s/w (i.e. PcNowhere) running on the default port on the internet NIC accepting logins from any IP, machines that run NetBIOS on the internet NIC (because they login to DCs that sit on the internet). How in all high hell can you secure something when you have your domain logins flying unencrypted across the internet?!?
4) Poor security planning: Not enough gurus for to plan/build/support the systems that are in place.
5) Too easy too look secure: All you need to do is buy an app, setup the back end stuff at the bank, get an outsource provider that can host your web boxes (they must be SAS70 certified) and then hire XYZ to do a penetration test...if it comes back with security holes, just fix them!
It takes a lot of dedicated people to make a fully secured system...firewall/router guys, systems folks, dba's, knowlegable ousource providers, etc. Hopefully high-profile events such as this one will be a wake up call to other banks.
Slashdot Mirror
I recently founded a services company (rivertechnologies net) - here's my $.02 based on my personal experiences, in no particular order. As a point of reference my BG is in distributed systems development, integration, security, proj. mgmt, etc.
;)
Pick your target market carefully. Don't limit yourself to any one vertical, but don't use rand() to pick a company out of the yellow pages either! Our clients are primarily in banking, which works well for us, because (a) we know the business from the IT POV, (b) banks are always going to be in business as a pillar of the economy and (c) non IT companies are always looking to outsource non-core, revenue-generating activities, e.g. systems integration & development. The catch is to make sure that the services you can provide are ones that aren't 'disposable'...a lot of trends come and go, but the CIO will always have 20 things on their to-do list that they HAVE to get done. Prove to them that you can get it done, do it a few times, and now you have a valuable service.
Develop a business plan. Go to inc.com and read up on their material. Find 5 people who did what you want to do and were successful, and talk to them. Then talk to 5 others who weren't. Consider how you plan on funding yourself. Bootstrapping a firm puts things in perspective - if it doesn't make us $, and it costs $, and we don't need it, then we don't do it. No Aeron chairs and 21" TFTs here, at least for now
Consider your competitors. You are essentially looking to start what I would refer to as a commodity service - S/W eng, security services, systems integration, etc. is a highly saturated market. Everyone can find 10 decent 1099'ers who can do that, and there are slews of companies who do it very well, and are HUGE. The catch here is to develop your core offering(s) to appeal to your target market because there is something about you that makes you 'different'. I don't mean in a BS kind of way either...there has to be something about you and your s/w firm that will compel someone to say, "I don't want to send this job to India, because these guys: know my business/have expertise here/add value in some other way, etc."
How hard are you willing to work? Did you say 80h a week? OK good! If you are not willing to give 110%, then I wouldn't do it. If you have a wife/kids, or other commitments, talk it over with them first. Being successful at work doesn't mean much if your kids forget what you look like!
Consider your sales cycle. How long does it take to generate revenue based on your business model? How much $$$ runway do you have? Consider how long it will take you to get the business up & running before you can actually start selling yourselves.
Learn to think like the anti-Christ (a sales-person). Unless you are going to hire a sales manager you can trust, you will have to be well-versed in the sales cycle, and how to effectively sell your services in the timeframe that you have to work with. I would recommend two excellent books here:
"The New Strategic Selling" by Heiman & Sanchez, and "Selling to VITO" by Anthony Parinello. (the 2nd book is great but clearly the guy is an egotistical dickhead who thinks techies are peons who get in his way.) If you don't have the stomach to sell to people, then you aren't going to do very well, unless you can convince 100 people to bang down your door asking for your svcs.
When you get all caught up in the non propeller-head activities in running an IT firm, you have to make sure you can stay current with industry trends, what is going on with your target market, and so forth. It is a catch-22 at times, as skills alone won't make your business grow, but if you can't deliver, than you surely won't grow.
Make sure you have 100% faith in your partners. Make sure they can contribute as much as you can; if they can't make sure the partnership is arranged accordingly. Have some philosophical discussions, and make sure that you guys are on the same page. Does he want to grow into a $10M company, and you will be happy with $100K a year and the company car? This can lead to some sticky issues if you are not both on the same page.
So far this has been undoubtedly the most gratifying professional thing I have done, and even if we closed shop up tomorrow, I feel as though it has enabled me to grow unlike any other gig I have done before.
If you have the option of picking a particular piece of hardware, Compaq/HP has the Compaq remote insight board.
This is a full computer on a PCI card, which has its own power feed with battery backup, 1 Ethernet IF, an optional 56K modem, and full hardware-level access to the input keyboard/mouse and video display.
The card runs a propriatary OS, and includes telnet and SSL-based access supporting full console UI through a basic, Java-enabled browser.
I don't know as if it will run in non-server class box3n, but I just picked up a Proliant 330 that at about $1k, is for all intents and purposes a really a basic x86 with server class chassis layout, etc.
Serve as a FW/VPN
Act as a network IDS
Serve as a management console for Host IDS
Act as the A/V Manager
Because they have agents installed on every machine when you run Intruder Alert, NAV, or other tools, it would allow them to sync up the status of a host, network, etc. with the mothership at Symantec-Focus, and determine in real-time what devices are vulnerable. This is kind of cool in concept but not easy in execution.
My concern is that they already have bought other products, which are completely jacked up and are still not fixed. I spent my Thanksgiving morning last year doing a disaster recovery on a Symantec Intruder Alert System...what a mess that product is...where is the high availability, the fault tolerance, etc.? Again...cool concept, crappy execution.
This merger puts Symantec in direct competion with folks like eSecurityOnline, and I can tell you that for people already in bed with Symantec who have legal obligations to stay on top of vulnerabilities (e.g. Banks) this makes it a one stop shop for them. I see it as a conflict of interest. They should buy a couple of pen-test companies while they're at it and they can even validate their product implementations are secure ;)
I strain to find anything funny about this situation, or my brother being within an earshot of death.
My little (24 y/o) brother is a federal employee from Boston. He works for the Department of Energy, and was down in DC for work this week.
:/
When I heard about the attack in DC I immediately freaked out. I tried calling his cell phone, only to find the cell switches flooded. I could only hope he was not near the Pentagon.
My mother finally did get in touch with him. He basically was told to evacuate the office, which was next to the Capital, and to go home. Unfortunately for him "home" was a hotel across from the Capital building.
He did call later with an update, he managed to take a train out of town and had to walk a long while to reach Georgetown U. He told mom that it was a completely surreal experience, with crowds running and walking aimlessly, while jet fighters were looming above.
I never was so scared for anyone's safety. Ironically, this AM my brother was in a seminar in public speaking and dealing with anxiety. I guess they picked the wrong day to run that class
My warmest wishes and prayers go out to those less fortunate.
Some type of review should be conducted to assess the actions of Adobe, the U.S. Government, and Dmitry. (but not U.S. v Dmitry) I suspect that the result of such a post mortem on the incident would yield the following:
:)
;)
a) The guy did not break any law based on the events in question.
b) The FBI demonstrated legal and technical ineptitude by arresting an individual for something that does not violate the law he was charged with breaking; nor was his work a violation of the DCMA.
c) The Atty. General demonstrated legal ineptitude by agreeing to prosecute someone even though the circumstances include the 2 points above.
IMHO, the only reason it went down the way it did was because everyone had a stake in it:
-> Abode's case could have yielded set some nasty case law, if not been the catalyst for the "Adobe Act of 2001" or some other type of ludicrous legislation which basically makes all (white hat) hackers heretics to be burned @ the FBI's stake.
-> Dmitry wanted to show ppl that ROT-13 encryption is probably not as secure as most ppl are led to believe, and if ppl knew what it was all about, and how easily it was defeated, ppl would choose another encryption solution (or *maybe* Adobe would jack it up a notch
-> The FBI wants to kick ass at Defcon. Hey if I was that poor fed that got flamed during spot the Fed on Friday AM in the Uber Haxor conf. (the one that looked like a fat John Denver and was wearing a Defcon 5 shirt that wasn't even faded, *and* was ironed) I would be a bit feisty too
I am glad to see that Adobe took the action it did. I hope Dmitry will find himself on the right side of the jailhouse door soon.
I would be hard pressed to imagine that these people are truly needy to the extent that if they had no charity/shelter to take them in, they'd be unable to provide the basic needs of every human, food, shelter, etc.
;)
There are people who have more legitimate needs, i.e. metally challenged, substance abuse, etc. which makes it much harder if not impossible to live in an independent fashion. I am not trying to defend the more conventional types who take advantage of welfare services (i.e. lazy/drunks, etc.) However, it seems even more perverse that able-bodied persons, who were only recently considered responsible enough to help build multi-million dollar corporations, would go and milk the system for free room and board, etc.
When pride isn't and issue, necessity becomes the mother of invention when times get tough...these guys could get jobs for sure. Instead of serving up some ASP files, they should try serving up some food as a waiter, or maybe they could parse orders at the register instead of parsing parameters
Maybe they could make money by authoring books about their turbulent carrer and lifestyles. Perhaps the book can read something like:
"Once I was paid $100K to 'think out of the box'; now I just live in one"
Seriously, I am sending the orignal article to my friends because I really get a laugh out of how foolish the whole thing is.
BTW: I am a young tech/geek/prof. and after reading about those fools, I am going to take a good hard look on how to make sure I don't become one of them. (Maybe picking up a new BMW should be put on the back-burner after all)
I work with NT all day, and I am charged with securing some pretty important installs. From my modest time doing what I do (~1 yr doing security) I can say this: NT can be secured, and it can be secured pretty well. However, the problem is that to secure it and maintain security is *way* too time consuming.
/msadc/..%e0%80%af../ string will die, but then some guy on securityfocus.com pen-test will insist he got a patched box with the vuln. Kinda scary, no?
I can lock down an NT4/5 system pretty well, I can apply all of my MS hotfixes and good 'ol SP6a, and I can even dig into the ASP code and check for application level bugs. When I am done I can hook it into a net running a nice IDS, and be sure the routers/FWs are doing their part. And, I can be pretty confident that I will have rolled out a system that will be less than an easy target for the l33t kiddies.
However...I can say that maintaining a state of security is a complete cluster@!#$ in MS land. It is this way because to harden an NT/IIS 4 box it takes litereally about 80 patches on top of SP6a. Plus, you have to ensure that after every hotfix you haven't caused your application to crap out.
On top of that, there is always the underlying "whatif" on if a patch from MS is 100% effective. For example, you can lock out the Unicode bug, and the ol
Then, MS doesn't help things by not creating an SP7. As a result, instead of doing 1 patch I have to do 80 reboots. It is pretty clear they are doing this to drum up sales of NT 5. I mean after all, if they properly supported NT 4, MS would clearly go out of business. (not)
I am still a young grasshopper in terms of Linux know-how, but I have seen enough to know that a out of the box RH install can be rooted just like NT. I think the problem with NT security is that everybody and their mother knows NT, the hacks and scripts are idiot proof, and the exploits are easily discovered (both as exploits and how to use them). For example, any jackass can find a Unicode bugged IIS box, upload hk.exe and nc.exe, DL the SAM, etc. However, if the admin was any good, they would have done lots of things to prevent such exploits from happening.
If hacking NT required busting out the C compiler, building kernels, or anything else that requires actual understanding of computers, I bet you'd see a lot less 'l33t' NT crackers.
So, I think that when people talk about how NT security sucks, they should also think about how the admins who secure those boxes are responsible, and how the tools available to hack NT are for ages 6 and up. NT can be secured, albeit a complete PITA to do/maintain.
Andrew
Often systems are put in production with all default services running because "the firewall will take care of that." ;) We are never going out of business, BTW, Which is good because it keeps me employed :)
Putting stock in just one security control is foolish. At my operation, we do things like use router ACL's to supplement FW rules; if someone DOSes the FW, or it dies of 'natural' causes, the routers, and other lines of security will still exist.
There should be some sort of government or other standard that the banks must adhere to, perhaps required simply to operate. If they screw up, they should be fined, and this can be used to pay down the debt, or social programs or something.
There is a goverment control...it's a little adminstrative office called the FDIC. If we do screw up, we are fined. A fine is actually moderate, with a 'write-up' being light, and shutting off the lights and locking the doors to the branch offices as 'severe'. Don't think it won't happen to the banks' online banking systems that are affected.
What we need is an open infrastructure supporting real anonymous e-cash. Once we have this the banks will all be out of business.
You will have to keep your "e-money" someplace...most likely an e-bank
I work within the eCommerce group of a bank who is a direct competitor to one of the victims, Soverign Bank. I am a systems integrator and I do much of the security work at the systems/app level on our eCommerce systems.
:)
I am not suprised to read what the Brit got for info (although I am suprised he got it within minutes, unless he knows the online banking backend software)
Any bank worth doing business with will have many controls in place to ensure that financial institutions are taking the correct precautions needed to safeguard their customers. These controls include internal and FDIC audits, external attack and penetration tests against systems, and curious/nosey/tinkering staff like myself
Any organization which runs an eCommerce system without contracting a highly reputed firm to do an attack/penetration test is completey crazy! (and out of FDIC compliance too) I *highly* doubt that the firms in question had taken the time to do this.
I coordinate a/p tests within my company, and these guys we hire will try to find *anything* that is remotely considered a security hole, ranging from things like Public communites for SNMP on a router to last logged in user is displayed on console in NT.
Beware however, I have worked with some reputed firms who sent me people who couldn't break out of a brown paper bag, let alone crash my firewall to hop thru the VLAN and into my host systems! Also another problem: many vulnerablities are never exposed during these tests, as they require doing things like dDOS attacks against firewalls, etc, and cannot be done in a feasible manner.
Here are some of the major problems with many banks today:
1) Shitty technology: Sometimes banks buy apps for reasons other than they work well, are secure, etc. i.e. everyone else runs it, so we need to as well (a'la M$)
2) Time to market too aggressive: Aggressive growth, mergers, etc. dictate that we have every bell and whistle available on the systems side. This means that we end up with too much work to do in too little time. Things like proper systems design, security planning, etc. suffer because some jackass project mgr. can't fit it into his M$ project file, or the budget can't fit in a $30,000 attack/penetration test. If banks want to grow fast, they need to gear up with people and money to match!
3) Horseshit outsource providers: I am sure that this app that was hosed by the Brit has some components outside of the actual banks that were victimized. I can tell you first hand that many of these providers, i.e. BBN, AT&T, etc. are not nearly what they claim to be. They claim they are a high availablity, fully secured operation. I have seen firsthand such idiotic things as: open remote control s/w (i.e. PcNowhere) running on the default port on the internet NIC accepting logins from any IP, machines that run NetBIOS on the internet NIC (because they login to DCs that sit on the internet). How in all high hell can you secure something when you have your domain logins flying unencrypted across the internet?!?
4) Poor security planning: Not enough gurus for to plan/build/support the systems that are in place.
5) Too easy too look secure: All you need to do is buy an app, setup the back end stuff at the bank, get an outsource provider that can host your web boxes (they must be SAS70 certified) and then hire XYZ to do a penetration test...if it comes back with security holes, just fix them!
It takes a lot of dedicated people to make a fully secured system...firewall/router guys, systems folks, dba's, knowlegable ousource providers, etc. Hopefully high-profile events such as this one will be a wake up call to other banks.
Sorry for the extended rant,
Andrew