encrypted tapes

lists at notatla.org.uk lists at notatla.org.uk
Thu Jun 9 03:57:51 EDT 2005


From: "Perry E. Metzger" <perry at piermont.com>

> It is worse than that. At least one large accounting company sends new
> recruits to a "boot camp" where they learn how to conduct "security
> audits" by rote. They then send these brand new 23 year old "security
> auditors" out to conduct security "audits", with minimal supervision
> from a partner or two. The audits are inevitably of the lowest
> possible quality -- they run automated security scanners no better

The worst security audit point I have ever seen came from KPMG and
said that logging on as a particular non-root unix account got root
access, based on the "WARNING! YOU ARE SUPERUSER" message seen at login.
What they'd never done was check something like "sum /etc/shadow" to
see whether it was permitted or denied, nor run "id" or similar checks.
So when this user's home directory is absent and he ends up using
/ and /.profile (where the warning was in an echo statement) he gets
this message on the screen.  So where they should be writing
"misleading warning in some circumstances" they write "root access
immediately available for common users".

I'm planning to teach a class of 5 existing internal auditors
next month on some security s/w and I am going to include:
   - focussing on the more important stuff
     (a long-running problem where I work)
   - you must prove it before you can report it
   - you must be able to state what is wrong with the observed state;
     usually expressed as the policy point(s) violated
     (just appearing in scanner output is not enough)
   - you should have some idea of one way reasonable way to fix it

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list