> My last job (I left earlier this year, the
> creative design part was over and I got bored
> doing routine administration) was an Internet
> Systems Engineer for a large bank/credit card
> company/merchant processor.
The other thing about that place was about the 20th time someone takes all the credit for your ideas, it gets old......
> We built that system as impenetrable
and uninterruptable
> as we could.
Four sources of power, clustered port redirectors for doing server farms, fully redundant hardware, etc.
The security was give or take that one last little tweak that nobody would let us do....... Or that one last item on the checklist that was added and had to go through a change control process to be implemented.
The actual redundantcy was to the point that it was harder to shut the the thing down than it was to keep it up. (almost like it was alive)
> Extreme security, multi-level DMZ
> design, black IP, major intrusion detectors,
> dead-end fake IP subnets, quite a few traps
> and, uh, planted 'distraction', and of course
> 128-bit SSL.
Hey-- I liked my planted distractions. They didn't have honey pot written all over them, but low and behold that's what they really did.
Oh-- and can't forget intrusion detection supplied by different vendors and managed by seperate IDS specialists who completely reviewed eachother's work on a constant and continual basis. Oh-- and as far as anything for security or redundantcy goes...... if one was enough-- there was at least four. (two from two different vendors so it was redundant from both a networking and a security standpoint)
> It's been running for almost two years now, and
> noone has come close to hacking it. The
> firewalls and intrusion detection
> software usually record several
thousand
> attempts per day, usually just script kiddies,
> once in a while a 'real' cracker. But nobody
> has ever got in, and if someone did, I would
> definitely be one of the first to know.
Depends on who is the first to know internally-- race ya.:^)
> We even hired some top-of-the-line, extremely
> good professional hackers, and they were only
> able to gleam the tiniest amount of information
> about the topology of the network.
Now for the question of the day. When the big name security certification companies review a site for insurance purposes, etc-- who certified that they know a damn thing about conducting pentration tests or reviewing security in the first place?
True story: I personally completely and totally ripped SEVERAL of one company's "reports" to shreds in a document and did what I could to see to the refund of several thousand dollars to the bank. Every time we rejected their report because it was totally inaccurate, they would run another. The reports were so bad that they did not even agree with eachother! I felt bad for ripping their security analysts apart so badly, but I felt as though I had to do it-- their report was so bad that I could have composed a more accurate document when I was in Jr High less than a year after I learned what TCP/IP and ports were and still had no clue what a "slash 24" was.
On with the rest of the story. I later ended up getting cornered into help their people understand what they did wrong and help them improve their security review process.
I forsee someone wanting to bring up levels of experience or training so I'll just let it be known now that I am a self taught admin/security analyst/IDS/IPS type with little to no formal schooling or certification. I have lived, breathed, ate, and slept network security for over 5 VERY long years (with more 100 hour weeks than I care to think about) Granted I am probably the exception since I am under 30 and have done things from firewall QA, to VPN engineer, to banking system security person, to intrusion detection specialist. Now I am authoring from scratch enterprise wide security policy/requirement docs (posted to the intranet), aid in product selection, identify test paramenters for product security review, and make very important security decisions for a company with over 80K employees. I also gather best practice inputs and write implementation procedures and security checklists for of system/application build. Oh-- and it is a fortune 50 corporation. Oddly enough one of the few who was 99.9% mainframe up until a year ago and has skipped the 'open systems client/server' environment almost entirely)
> The only bad thing about the bank site is that
> the HTML coders have made one of the ugliest,
> lamest sites I've ever seen. They sure could
> have done a better job, but it's at least
> usuable and extremely secure.
Truely an example of beauty being in the eye of the beholder. I agree-- the site was/is hidious. I can't say too much about the code though since I have a different view on what a web architecture SHOULD look like. (I tend to like to put layered IDS type traps inside of application architectures though so don't mind me-- I'm a bit ahead of current best practice in that regard)
> I use it myself, and feel safe doing so,
> especially as I implemented a lot of the
> security myself, very very carefully, as if I
> made an idiot mistake I would be held
> PERSONALLY liable.
Yes I helped build it, and yes I helped secure it, but to this day I detest internet banking systems mere existance. I don't want or need my bank hooked into the internet, but unfornately all of them are now. I am left with only the comfort of knowing that at least this bank has used state-of-the-art technology configured to deny everything by default based on TWO sets of default deny rules on seperate products from different vendors. I take comfort in knowing that they are on completely different OS platforms for the two control points and that there is more IDS at those control points than I care to thing about. (to the tune of several gigs per day worth of logs that ARE ALL coorilated in real time for serious infractions and REVIEWED DAILY)
> Kinda scary knowing how many billions of
> dollars are in that bank, and it's my ass if
> they get through. But I'd be very very
> surprised (and very respectful of the person)
> if anybody actually got through!
That's what made the job fun though.
> I don't know about other banks, but this one is
> tight. (Sorry, I cannot disclose which bank it
> is without written permission from them, or I'd
> be happy and proud to tell you.)
Good man. And no-- not a chance that I am giving that up either.
> As far as the one bank someone was talking
> about that didn't even use SSL - you'd better
> find yourself a new bank - FAST!
Actually, I'd recommend also calling the feds. They are in violation of several banking regulations.
Now for the next person who posted:
> I don't know why, but you sound like a total
> cluebi.
We won't go into what you sound like.
> you just read 'hacking exposed' right?
> Good network design is always good,
> distractions are good, honeypots are good,
> 128bit SSL, hoho, now that sounds promising.
> You're using state of the art stuff 'eh, right.
> I don't know any current or past commercial,
> let alone public! software which I would trust.
There are not any that we would trust either. You should not make assumptions like there is only one type of anything in that network.
> For example, the world leader in firewalls,
> yes, you know who that is, has had a remotely
> exploitable buffer overflows in their code
> since the very early stages of the product,
> until today, they still don't know about it.
I've known about it for nearly 18 months. I personally called the vendor you are talking about and talked to them about the problem when I learned of it in the underground. Once again an assumption. You ASSUME that the vendor does not know about it because they don't acknowledege it, have not published it or released a fix, etc.
Having market share is entirely different than being the "world leader". I have worked with several firewalls. (I worked for a firewall vendor and did the configuring my vendor's firewall in the "firewall roundup" by NSTL) I know which product you are talking about find that the one you are talking about. It is basically junk relative the stuff some of the other guys are doing. I certainly would not trust it to direct internet exposure with no other control points between it and a secure bank network.
> Oh, it's been running for almost two years now, > no incidents 'eh
He did not say that-- he said "..... nobody
has ever got in, and if someone did, I would
definitely be one of the first to know. "
There have been incidents of people hitting the honeypots. They did not get anywhere except somewhere where let's just say they have plenty of time to think about the "no good" they were up to.
> let me tell you this darling, and you listen
> well, if someone serious was after this system,
> you certainly wouldn't know about it
It helps to measure the situation before shooting your mouth off uncontrollably. For example, you just called a 6'8 280 lb guy with shoulders practically broad enough to put his arms out of BOTH windows when he drives down the street "darling"
> Would you trust a system designed by a person
> which has the above homepage ooze.bloomnet.com
Trust is a relative thing. It is based on assurance.
Let's analize it shall we.
Relative to someone who practices in the making of assumptions rather than in the analysis of the situation as it presents itself. You don't have the kind of information you need to say any of what you have said.
Just take the time to stop and look. Ask questions instead of assuming and flaming.
Just incase you are wondering no-- I would not trust your skills over the guy you just flamed.
> he clearly has obvisous mental problems.
Once again-- another assumption.
> I would flame some more, but I'm tired.
Glad to see something was able to save you from the embarressment.
A wise man once wrote: It is better for someone to think you might be a fool than to open your mouth and remove all doubt.
Slashdot Mirror
> My last job (I left earlier this year, the
:^)
> creative design part was over and I got bored
> doing routine administration) was an Internet
> Systems Engineer for a large bank/credit card
> company/merchant processor.
The other thing about that place was about the 20th time someone takes all the credit for your ideas, it gets old......
> We built that system as impenetrable
and uninterruptable
> as we could.
Four sources of power, clustered port redirectors for doing server farms, fully redundant hardware, etc.
The security was give or take that one last little tweak that nobody would let us do....... Or that one last item on the checklist that was added and had to go through a change control process to be implemented.
The actual redundantcy was to the point that it was harder to shut the the thing down than it was to keep it up. (almost like it was alive)
> Extreme security, multi-level DMZ
> design, black IP, major intrusion detectors,
> dead-end fake IP subnets, quite a few traps
> and, uh, planted 'distraction', and of course
> 128-bit SSL.
Hey-- I liked my planted distractions. They didn't have honey pot written all over them, but low and behold that's what they really did.
Oh-- and can't forget intrusion detection supplied by different vendors and managed by seperate IDS specialists who completely reviewed eachother's work on a constant and continual basis. Oh-- and as far as anything for security or redundantcy goes...... if one was enough-- there was at least four. (two from two different vendors so it was redundant from both a networking and a security standpoint)
> It's been running for almost two years now, and
> noone has come close to hacking it. The
> firewalls and intrusion detection
> software usually record several
thousand
> attempts per day, usually just script kiddies,
> once in a while a 'real' cracker. But nobody
> has ever got in, and if someone did, I would
> definitely be one of the first to know.
Depends on who is the first to know internally-- race ya.
> We even hired some top-of-the-line, extremely
> good professional hackers, and they were only
> able to gleam the tiniest amount of information
> about the topology of the network.
Now for the question of the day. When the big name security certification companies review a site for insurance purposes, etc-- who certified that they know a damn thing about conducting pentration tests or reviewing security in the first place?
True story: I personally completely and totally ripped SEVERAL of one company's "reports" to shreds in a document and did what I could to see to the refund of several thousand dollars to the bank. Every time we rejected their report because it was totally inaccurate, they would run another. The reports were so bad that they did not even agree with eachother! I felt bad for ripping their security analysts apart so badly, but I felt as though I had to do it-- their report was so bad that I could have composed a more accurate document when I was in Jr High less than a year after I learned what TCP/IP and ports were and still had no clue what a "slash 24" was.
On with the rest of the story. I later ended up getting cornered into help their people understand what they did wrong and help them improve their security review process.
I forsee someone wanting to bring up levels of experience or training so I'll just let it be known now that I am a self taught admin/security analyst/IDS/IPS type with little to no formal schooling or certification. I have lived, breathed, ate, and slept network security for over 5 VERY long years (with more 100 hour weeks than I care to think about) Granted I am probably the exception since I am under 30 and have done things from firewall QA, to VPN engineer, to banking system security person, to intrusion detection specialist. Now I am authoring from scratch enterprise wide security policy/requirement docs (posted to the intranet), aid in product selection, identify test paramenters for product security review, and make very important security decisions for a company with over 80K employees. I also gather best practice inputs and write implementation procedures and security checklists for of system/application build. Oh-- and it is a fortune 50 corporation. Oddly enough one of the few who was 99.9% mainframe up until a year ago and has skipped the 'open systems client/server' environment almost entirely)
> The only bad thing about the bank site is that
> the HTML coders have made one of the ugliest,
> lamest sites I've ever seen. They sure could
> have done a better job, but it's at least
> usuable and extremely secure.
Truely an example of beauty being in the eye of the beholder. I agree-- the site was/is hidious. I can't say too much about the code though since I have a different view on what a web architecture SHOULD look like. (I tend to like to put layered IDS type traps inside of application architectures though so don't mind me-- I'm a bit ahead of current best practice in that regard)
> I use it myself, and feel safe doing so,
> especially as I implemented a lot of the
> security myself, very very carefully, as if I
> made an idiot mistake I would be held
> PERSONALLY liable.
Yes I helped build it, and yes I helped secure it, but to this day I detest internet banking systems mere existance. I don't want or need my bank hooked into the internet, but unfornately all of them are now. I am left with only the comfort of knowing that at least this bank has used state-of-the-art technology configured to deny everything by default based on TWO sets of default deny rules on seperate products from different vendors. I take comfort in knowing that they are on completely different OS platforms for the two control points and that there is more IDS at those control points than I care to thing about. (to the tune of several gigs per day worth of logs that ARE ALL coorilated in real time for serious infractions and REVIEWED DAILY)
> Kinda scary knowing how many billions of
> dollars are in that bank, and it's my ass if
> they get through. But I'd be very very
> surprised (and very respectful of the person)
> if anybody actually got through!
That's what made the job fun though.
> I don't know about other banks, but this one is
> tight. (Sorry, I cannot disclose which bank it
> is without written permission from them, or I'd
> be happy and proud to tell you.)
Good man. And no-- not a chance that I am giving that up either.
> As far as the one bank someone was talking
> about that didn't even use SSL - you'd better
> find yourself a new bank - FAST!
Actually, I'd recommend also calling the feds. They are in violation of several banking regulations.
Now for the next person who posted:
> I don't know why, but you sound like a total
> cluebi.
We won't go into what you sound like.
> you just read 'hacking exposed' right?
> Good network design is always good,
> distractions are good, honeypots are good,
> 128bit SSL, hoho, now that sounds promising.
> You're using state of the art stuff 'eh, right.
> I don't know any current or past commercial,
> let alone public! software which I would trust.
There are not any that we would trust either. You should not make assumptions like there is only one type of anything in that network.
> For example, the world leader in firewalls,
> yes, you know who that is, has had a remotely
> exploitable buffer overflows in their code
> since the very early stages of the product,
> until today, they still don't know about it.
I've known about it for nearly 18 months. I personally called the vendor you are talking about and talked to them about the problem when I learned of it in the underground. Once again an assumption. You ASSUME that the vendor does not know about it because they don't acknowledege it, have not published it or released a fix, etc.
Having market share is entirely different than being the "world leader". I have worked with several firewalls. (I worked for a firewall vendor and did the configuring my vendor's firewall in the "firewall roundup" by NSTL) I know which product you are talking about find that the one you are talking about. It is basically junk relative the stuff some of the other guys are doing. I certainly would not trust it to direct internet exposure with no other control points between it and a secure bank network.
> Oh, it's been running for almost two years now, > no incidents 'eh
He did not say that-- he said "..... nobody
has ever got in, and if someone did, I would
definitely be one of the first to know. "
There have been incidents of people hitting the honeypots. They did not get anywhere except somewhere where let's just say they have plenty of time to think about the "no good" they were up to.
> let me tell you this darling, and you listen
> well, if someone serious was after this system,
> you certainly wouldn't know about it
It helps to measure the situation before shooting your mouth off uncontrollably. For example, you just called a 6'8 280 lb guy with shoulders practically broad enough to put his arms out of BOTH windows when he drives down the street "darling"
> Would you trust a system designed by a person
> which has the above homepage ooze.bloomnet.com
Trust is a relative thing. It is based on assurance.
Let's analize it shall we.
Relative to someone who practices in the making of assumptions rather than in the analysis of the situation as it presents itself. You don't have the kind of information you need to say any of what you have said.
Just take the time to stop and look. Ask questions instead of assuming and flaming.
Just incase you are wondering no-- I would not trust your skills over the guy you just flamed.
> he clearly has obvisous mental problems.
Once again-- another assumption.
> I would flame some more, but I'm tired.
Glad to see something was able to save you from the embarressment.
A wise man once wrote: It is better for someone to think you might be a fool than to open your mouth and remove all doubt.
Please spare us the removal of doubt factor.