OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Software vendor clueless

From: Jeff Peterson (jpetersonbtiis.net)
Date: Tue Aug 19 2003 - 10:34:22 CDT


 For sake of clarity:

My customer did nothing wrong, and I don't lay any fault on them. The issue
is the software vendor who, as a developent house, should know better.
Forcing all of their customers to use the same 4-letter password and forcing
them to leave PCAnyWhere ports open 24/7 begs derision. In fact, it begs
legal sanction.

A month ago, an audit showed that the Exchange server was not acting as an
open relay, and I know for a fact that this base of customers does not do
any tweaking on their servers. In fact, they originally called me last week
to make sure they were protected from the msblaster worm. They are even
afraid to patch the systems, much less make any config changes. Other than
the software vendor in question, I am the only one who touches their
servers. I know I didn't make the config change, and I'm sure the sw vendor
didn't make this change. Given the physical security, I can only deduce
that someone else took advantage of the weak password security, and helped
themselves.

I thank everyone for the suggestions. It has been an education all its'
own. I was able to use some of the grains of wisdom you people have shared
with me, and met the vendor half way. An independant third party security
evaluation is now scheduled, and this whole thing will take its' course in
due time.

Again, Thank you all.

Jeff Peterson

-----Original Message-----
From: Harlan Carvey
To: incidentssecurityfocus.com
Sent: 8/17/03 9:22 AM
Subject: Re: Software vendor clueless

Jeff,

First and perhaps most importantly, I think the issue
at hand really lies with your attitude. This is an
attitude that's seen amongst extremely technical
people when dealing w/ people they think are clueless.
 Remember, no one, particularly customers, are going
to pay to be put down for their business decisions,
even if those decisions were made with a lack of
knowledge. In fact, given your post, one would think
that they hired you for your knowledge...but I doubt
that anyone would hire a consultant to deride their
choice of software, etc.

In your post (below), you mention the problem.
However, there is no correlation between the weak
admin password and the change in the server. Even
Exchange 5.5 on NT 4.0 can be configured relatively
securely. Yes, it makes sense to upgrade, but many
places need a business case for making the investment.

Vendors like those you describe are nothing new. Nor
is the AT&T managed firewall. However, I think that
you're approaching this the wrong way. You shouldn't
view yourself as "facing" this guy, and "making" him
do anything. You should be approaching this from the
standpoint that you're helping provide a higher level
of security to your customer.

Just a thought.

Harlan

> I have a customer whose company does legal work for
> lots of businesses.
> The data housed on their network is what I would
> call 'financially
> sensitive'. Recently, I found their Exchange server
> had been turned into
> an open relay. It was not that way a month ago.Once
> I stopped the
> bleeding, I told them I wanted to change the
> Administrator password,
> (NT4.0, Exch5.5. I know, I know). They told me
> they were not allowed to
> change the password. "Sez WHO", I asked. "Our
> software vendor", they
> replied. Turns out the vendor in question has a
> niche market in this
> kind of legal field. Also turns out they use the
> same 4-letter, (no
> caps, no special chars), administrator password on
> ALL their customers
> networks. To make matters worse, they have
> PCAnyWhere ports open on all
> these networks, because their software is so buggy,
> the developers need
> to remote in and fix things all the time. The
> spokesman for the group
> claims that the AT&T managed firewall prevents
> anyone else from using the
> PCNoWhere ports by IP address.
>
> I'm not a great negotiator, and I'm going to face
> the SW spokesman next
> week. He is a good spin doctor. I'm looking for
> help in making him
> secure his stuff. All help is appreciated.
>
> Jeff Peterson
> BTIIS
>
>
------------------------------------------------------------------------
---
> Captus Networks - Integrated Intrusion Prevention
> and Traffic Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port
> Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical
> Applications
> - Precisely Define and Implement Network Security
> and Performance Policies
> **FREE Vulnerability Assessment Toolkit -
> WhitePapers - Live Demo
> Visit us at:
>
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
>
------------------------------------------------------------------------
----
>

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

------------------------------------------------------------------------
---
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance
Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
------------------------------------------------------------------------
----

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------