Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] Things that make you go "Hmmm"
From: James Tucker (jftuckergmail.com)
Date: Thu Mar 03 2005 - 03:47:38 CST
What amazes me most having read this whole thread, is not so much that
a server may have been hacked; this happens if you gain enough
attention from the wrong people and do not build your systems hard
enough (like people in a failing company).
I am amazed that a forensics box was the target, moreover, that it was
capable of being the target, and even more amazed that in fact it was
a corporate mailserver.
1. If the box was to be used for forensics research, it is likely that
it contains sufficient tools in certain user accounts to do any amount
of damage to the system and to view almost every important property of
it in a relatively short space of time. To put such a system in a high
point of exposure, or in a point of high information value (such as
running a mailserver from it) is extremely bad practice.
2. The company uses spamsoap store and forward. If the mail server was
configured to retrieve mail from spamsoap it is entirely possible that
the store and forward account was also compromised, leading to
potential disclosure without continued access to pivx network
3. If the machine was so core to infrastructure why was it given a
live dns address so close to the domain root?
4. Pivx' (lack of proper) response to the issue. They had a box
labelled "forensics" hacked, and "it is being re-imaged". So in other
words, it's going to be returned to the same state as it was
originally, without any forensics work taking place.
5. If "re-imaged" there is nothing to suggest that the previously used
exploits will not work again on the new system, thus the need for
proper forensics work, which has clearly been neglected.
6. Recent major disclosure of internal publications and
communications, there are allot of clearly frustrated employees within
pivx each of which may be attempting to cover their tracks of
information disclosure by hacking, or allowing said machine to be
7. Given the nature of the company and the configuration which they
would seem to be referring too there is no good reason why the server
in question was publicly accessible at all, there is a perfectly good
store and forward service which can happily be the sole external
communicator with the box.
8. The forensics department seems to be out of contact with the
operations staff, who seem to be not directly related to the
"corporate counsel". Who is actually in charge of your company? I am
beginning to think the hacker has more control than any of you.
9. Discussions of server exploitation via potentially disclosed
communications mediums. In the event that the hacker had successfully
spread from forensics.pivx.com to some other machine (not unlikely
being your displayed e-mail etiquette) then the mails you send
discussing the matter may also have been compromised. In essence you
do not know where the mail has come from, who sent it, or when it was
sent. In fact there is no reason to trust anything in or out of pivx
10. Evident lack of experience dealing with internal corporate
security issues and poor communication leading to wide spread
disclosure of potentially damaging situations without explained cause
I would strongly suggest that any and probably all of Pivx financial
issues are products of the above, or situations similar to the above.
This company is not capable of picking up the phone or reaching
individuals over any secured transport medium. In fact it would seem
that everyone knows a little of something, but not even allot. There
is deceit and destruction occurring from within the company. My
suggestion to Pivx as a whole is to stop what you are currently doing,
look at your infrastructure (human and systems) and decide what CAN be
managed and what CANNOT. Remove immediately that which cannot be
managed and begin MANAGING that which can. There is no reason to keep
any employees which are not capable of full filling the company goals.
A company is a team so someone trying to score at the wrong end is no
use at all.
I am sure your investors are mighty excited to hear the next
installment. If you still have any value in your company, given that
you had an attack and you destroyed all the evidence of what was done.
What if a mail was captured containing sufficient information to gain
access to build files for your products?
Have you verified the contents of the applications on your web servers?
Are your customers safe from attacks?
Are you un-knowing as to the status of your system automations such as
updates and the current state of information flow out of the company?
Whilst it is true from this point that Jason Coombs may have thought
the box was being hacked during the time when some other member of the
business was performing critical updates or some other management
function, there is no good reason why Jason was not aware of this
before it happened. If Mark is confident that the box has not been
hacked, then he needs to take actions to find out what is going on
with Jason and most importantly why he is informing the world of false
facts which damage the corporate image.
This is surely a dark shadow now hanging over pivx. Further disclosure
may be the only way to regain respect from the security industry, but
given the complete (and entirely public) contradiction between two
senior managers this may be difficult.
I am flabbergasted. The entire interaction of this thread is wholly
bad practice and gives the appearance of a company which is completely
out of control. Pivx should be preparing a full formal press release
to (attempt to) clear this up.
wow. absolutely wow.
Full-Disclosure - We believe in it.