How the *^$µ

[Cemetric]

Question?

How do I make my firm see that there security is worthless.

Simle example (of many)

The firm works for the city (police , hospitals and all kinds of city ordinances and yes even the mayor of the city)
Now all these people have a email account which they can access through OWA ... this is where the fun starts.

This page is reachable from the internet (no I want give you the address ) so everyone who works for any of these instances and wants to read his mail from home of wherever can do just that .

This page runs on a server NT 4 sp 6 with exchange 5.5 (yeah I know) and on that same server is also an FTP ( you don't even wanna know what for) .

Lately (the last 2 years) the firm has been very lucky ... no "real" hacker has ever attempted to break into the mailboxes (and believe me it would be very very easy for a guy to break in if he knows what he's doing let's say the users have easy passwords if you know what I'm saying).
So the only problems we have lately is the crashing of the IIS this because of the many scriptkiddies (I think) who are learning to crack .

This I know because of the logfiles (trying to log in with stupid usernames like "god" and "master ..please).

Anyway ... I mentioned this "securityrisk" more then a few times to different bosses (yes we have lots and they all know nothing about the network).

So if someone is interested in some mails from a mayor to ..lets say a policecommisionar (spelling?) ...drop by ...

But seriously what can I do to make them understand that the network is an open book for someone who knows what he is doing. Should I hack it myself (naaah that's to easy and they won't believe it)


Any suggestions are welcome.

[nihil]

UNDER NO CIRCUMSTANCES TRY IT YOURSELF!!!!!!!!

Hell, we want to see the BAD guys in trouble?

I would suggest education...........in their restaursnts...........canteens...........whatever?......................just show them a firewall bringing up alert messages?

Gets them thinking?

[Cemetric]

Hmm.

Interesting like say a seminar for them ... with slides of things that can happen .

A doomscenario...

That's not bad advice ...now why didn't I think of that ... now only convine them to come...

not bad ...thanks.

any more sugestions anyone ?

[Cybr1d]

Should I hack it myself (naaah that's to easy and they won't believe it)

well aren't u a genious!??!

Actually NO...


You said you had logs showing hacking attemps at whatnot? Show those logs to the system admin or the person in charge. End of story. Thats the only thing you should do.

[Cemetric]

well aren't u a genious!??!

It was ment sarcastically offcourse...

Anyway I showed them the logfiles ...there reactions were all the same ..."nothing to worry about" ..but when the day comes and mail gets "stolen" or made public ...guess where they are gonna knock...

I'm thinking about that seminar thing... maybe that will wake em up.

[Cybr1d]

and whom would be invited to the seminar?

[embro1001]

¡No debe hacer nada! Si no le escuchan a ti, no es su responsibilidad. Aun, podría darles demonstración.

If you want don't want people constantly looking over YOUR shoulder, suspecting YOU, rather than the possible attackers, I would not do anything behind their backs, even if only to prove a point. (And yes, those that know me can tell me I should follow my own advice.)

[Cemetric]

and whom would be invited to the seminar?

I'm thinking everyone who is someone at the firm ... all the managers and clientresponsibles.

Even maybe some of the clients (keyfigures) ..that would have impact .

It could backfire ...I know ..but then again ... I probably won't stay in this firm much longer if they keep up their security at this level.

[Cybr1d]

the problem is not backfiring....the problem is letting everyone know where the holes are and putting the firm into further danger of attack.

[Cemetric]

That's very true ...

So I won't be making it too public I guess ... I will have to think this trough .

Thanks for the heads up guys.