January 2nd, 2004, 05:29 PM
Am I the only one that noticed that "576869746568617" is hex for "whitehat". It's missing a few digits on the end, assumably because the number of caharacters exceeded the max.
January 2nd, 2004, 05:43 PM
This thread has been refreshing.....
Although when I first strated reading I was wondering why it had not been left to die a quiet death.
The business case is always a good one to take to the managementand & catch has demonstrated an excellent way to make that case.
But there is another case worth considering as well - The statuatory obligaiton. There may exist a legal obligation to protect information held by your company. A similar caluclaion can be used resulting in anual probability of the CIO/CEO being sent to gaol based on your risk assesment.
The test that will be made legally (in the UK anyway) is whether you can demonstrate that you have taken reasonable care to protect the systems your company is responsible for.
Now this is not being stated due some peak testosterone levels just to frighten the management, but as a professional in the IT industry, my CV & reputation will be ruined if my CEO gets imprisoned because of lack of relevant investment and I haven't made them aware of the risk. Remeber, file that all important memo
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
January 2nd, 2004, 05:45 PM
Coming from a similar backround (DARPA, DoD,etc.) Catch, I figured that you would know what I was getting at. Maybe it was the way I came across (like a 14 year old punk drooling at the Cult of the Dead Cow website or something). I'm just worried that you guys may think that I'm saying to just hack, hack, hack your systems, gain root, and use the power for evil. That's far from my intention. Sorry if I came across like a punk that just wanted to get someone fired. I just think that if one wants to be a great security admin, they should be able to think from the other side of the fence.
Also, I have read your paper in the past. It is a great informational resource and should definately be added to any admin's library.
January 2nd, 2004, 05:48 PM
January 2nd, 2004, 06:03 PM
Resources for Security Info
Here are some informational resources for you guys. There are links to "tools" as well, investigate these at your own risk. Some of them are tools of the blackhat, so I wouldn't download these onto any system that you do not own.
Hope it helps, and please, use responsably, as you will be responsable for anything you break!
January 2nd, 2004, 06:04 PM
Here it is. It's a .zip archive.
January 2nd, 2004, 06:11 PM
Also, If anyone feels the need to attempt anyhing in my posts, please read this first. Your job (and possible criminal record or lack thereof) may depend on it.
January 2nd, 2004, 06:43 PM
For those who may still feel that therecommendations in my first post were irresponsible, please read the following.
Any time a trusted, secure system is accessed, a login banner should be displayed. This is common practice, especially on DoD systems. Take a look at this excerpt from the ACERT (United States Army Computer Emergency Response Team) logon Banner:
"DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes active attacks by authorized DoD entities to test or verify the security of this system."
That is exactly what I was talking about. A responsable use of hacking, not a malacious attempt to wrest control.
Hope that clears things up.
P.S. just learned that I could Edit...Guess i should have read the F.A.Q. a little closer. Anyhow, the point that you have made, Steve, is the same one I was trying to make, just in a different, (and possibly wrong) way. Your point is well taken, and I appreciate the constructive criticism. (I guess I did, considering my lack of explination in the first post, and my repeated posts, lol.) I do appreciate the comments from Catch as well...nothing beats hard numbers.