Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

When is it too much security information?

By Andrew Pollack on 11/22/2006 at 10:45 PM EST

Between working on our Lotusphere Security Jump-Start with Gabriella Davis and doing a recent "Penetration Test" at a client site, I have been reminded of some really important steps that all Notes users should be taking to ensure their private stuff remains private. The thing is, if I start blogging the steps I take to poke into things I shouldn't, I risk providing the mental munitions that could fuel our own form of "script-kiddies" in the Notes world. I have no desire to do that.

Nothing I'm talking about here represents a product vulnerability. In fact, I usually start a security review or a penetration test with the point that if the product is used as intended, I should get nowhere. It's stable and secure. In practice, however, convenience and expediency lead to compromises and configurations that leave vulnerability. This is the same in any environment and with any product.

Without talking at all about what I did or didn't find at any particular client site -- because that would be completely unprofessional -- I've been giving some real thought to putting a short whitepaper together listing in detail the things any healthy Notes based organization should be looking at. If I start down those roads, I risk giving out some really easy to try techniques.

You tell me. Would you take the attitude that since some people already know it, everyone should be told to make the point about protecting yourself? Would you keep a distribution list tight and just try to encourage IT departments to pay more attention? Where do you stand?


There are  - loading -  comments....

re: When is it too much security information?By Nathan T. Freeman on 11/23/2006 at 07:10 AM EST
Security through obscurity helps no one. Write up what you know.

And put me on the distribution list for your draft. :-)
re: When is it too much security information?By Lars Berntrop-Bos on 11/24/2006 at 05:00 AM EST
hear hear, Nathan.

And I would love to read and comment on the draft.
re: When is it too much security information?By Warren Elsmore on 11/23/2006 at 09:06 AM EST
I wouldn't worry about making information public - it's out there already. It's
much more important to make sure that every admin knows how to make their
system secure.

I had the same dilemma with my 'Lock up your servers' BP session last year, but
there are open source Domino hacking tools out there already. Better to make
people aware of the risk than stick your head in the sand!!
re: When is it too much security information?By Bob Balaban on 11/23/2006 at 10:15 AM EST
Sounds like a great redpaper
re: When is it too much security information?By Scott Gentzen on 11/23/2006 at 11:15 AM EST
There's never too much information available on security. If it exists,
there's a pretty good chance that the bad guys already know about it.
Especially when it's one of those situations typical of Notes/Domino
environments where the exposure and vulnurabilities tend to be due to bad
configuration or procedural issues rather than a flaw in the product itself.
There are guides out there by the NSA and other security orgs on how to lock
down Windows systems and that's not making those environments more dangerous to
be in.
re: When is it too much security information?By Rob McDonagh on 11/23/2006 at 11:47 AM EST
Write it all up. As the other have said, the information is usually already
available to the bad guys. This is a classic debate, and I think the winner by
acclamation is always that the information should be shared.

And give serious thought to the redpaper approach, too. One negative
consequence I can see in publishing this information is that you are currently
paid for your expertise in this area. If you give away the knowledge, you
should try to do so in a way that maximizes the amount of credit you receive
for doing so. Of course, you're no fool, so I'm probably trying to teach my
grandma how to suck eggs. :D
re: When is it too much security information?By Ian Randall on 11/23/2006 at 06:46 PM EST
The purpose of a Redpaper such as you describe is to educate Administrators
about how to implement security for a Domino implementation correctly.

If that also educates "script-kiddies" & other hackers at the same time, so be
it. You can't base a sound security strategy on ignorance.

Perhaps after reading the document, some hackers might even be pursuaded to
move on to easier targets.

You should even consider creating or commercializing some of your more useful
Penetration Test code as a suite of basic security tools for clients and other
Notes specialists who are less skilled in Notes/Domino security vulnerabilities
than yourself.

Please consider putting me on the distribution list for your draft as well. :-)
I think your expectation is some magic secret. It isn't that.By Andrew Pollack on 11/23/2006 at 07:19 PM EST
There is no pre-built toolkit. That's part of what I do. I go in and ask to
be set up as a new contractor or employee and take the default configuration as
given to me as the basis from which to expand my access. I do this with some
understandings in place that I won't break anything, expose data where it
shouldn't be exposed, or generally make matters worse. If I find things I
could do, I document them. When I make examples, I always use a fictitious
name so that my examples can't be taken out of context (e.g. if I can relay
mail, I may do so using an obviously fake name like 'thebossofyou@company.com'
but would never use the actual boss's name.

I don't bring in with me a kit of pre-built scripts, and usually don't plug my
laptop into their corporate network (unless I'm also testing that). My laptop
is open and powered up for reference, note taking, and is frequently connected
to the public internet by way of cellular modem -- but not through the company
network at all.

I don't dumpster dive, don't do much in the way of human engineering (though it
is insanely easy to do most of the time) and keep in my sandbox generally.
Basically, I try to avoid the "Movie of the Week" stuff. If someone wants it,
fine, but it's very expensive and a lot of time goes into ground rules.
Sneaking around like a criminal can lead to big misunderstandings and serious
problems.

That said, yes -- there are common things I look for right away. At least one
of which is very likely to work in most environments.

The thing is, there are no secret security holes that I am aware of. There are
no "zero day exploits" to take advantage of in the product that I am somehow
privy to.

So far, I'm getting responses here from Notes guys -- mostly high end,
independent types. What about the rest of you?

Rob, suppose I posted something here and you came in to work a few days later
to find that several of your end users were reading the email files belonging
to their boss? Are you saying the fecal matter wouldn't impact upon the rotary
oscillating device for you?

Oh - one more thing to add here... As far as me keeping methods and practices
a secret to protect my income -- it's not my style. I don't believe my value
is decreased just because I tell people how I do things. Lots of people can
write code. Lots of people can do most of the things I do. I'd like to think
the value I offer as a whole is larger than the sum of those parts by
themselves. If you look at any of the presentations (currently displayed
'screen left') you'll find I purposely put as much of the meat on the pages as
I can, rather than making empty bullet points you have to pay me to get value
from. That's a practice I've had some arguments with other consultants about
in the past. I think the latter practice is disgusting, and driven by fear.
If you posted something that would work on my servers...By Rob McDonagh on 11/23/2006 at 09:02 PM EST
...I'd take the necessary steps to fix it. I'm not saying my environment is
perfect, because I'm not quite that arrogant. But if I know of a potential
issue, I want to get it addressed. So if you posted something I wasn't aware
of, I'd fix it.

Now, if this is the hypothetical me, as opposed to the real me, and the
hypothetical me is not a reader of this blog and therefore doesn't see the
information in question, then the fecal matter might well strike the rotary air
circulation device. But honestly, if the hypothetical me isn't following the
Domino blogs and making the effort to stay informed (Google News keyword:
Domino, it ain't that hard), the hypothetical me isn't doing his job. Better
the issue be discovered sooner rather than later.

The answers above assume that the information isn't something already covered
in standard admin training and documentation. If it's more a case of most
admins forgetting simple things or not doing regular audits, then the fecal
matter darn well *ought* to be flying around.
re: When is it too much security information?By Sean Burgess on 11/27/2006 at 11:29 PM EST
I have to agree with everyone else in saying that keeping information private
doesn't make something more secure. MS has been practicing that with
Windows/Office for years and it hasn't really worked for them.

When I am wearing my Sys Admin hat (which isn't too often), I would love to
have a cheat sheet that would allow me to very quickly make sure my system is
secure. I know it wouldn't cover everything, but it would cover more than I
would discover on my own.


Other Recent Stories...

  1. 05/05/2016Is the growing social-sourced economy the modern back door into socialism?Is the growing social-sourced economy the modern back door into socialism? I read a really insightful post a couple of days ago that suggested the use of social network funding sites like “Go Fund Me” and “Kickstarter” have come about and gained popularity in part because the existing economy in no longer serving its purpose for anyone who isn’t already wealthy. Have the traditional ways to get new ventures funded become closed to all but a few who aren’t already connected to them and so onerous as to make ...... 
  2. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertisingAn increasing number of websites are now detecting when users have ad-blocking enabled, and refuse to show content unless you "whitelist" their site (disable your ad-blocking for them). I think that is a fair decision on their part, it's how they pay for the site. However, if you want me (and many others) to white list your site, there are some rules you should follow. If you violate these rules, I won't whitelist your site, I'll just find content elsewhere. 1. The total space taken up by advertisements ...... 
  3. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction[] “The Expanse” is a new science fiction series being broadcast onthe Syfy channelthis winter. It’s closely based on a series of books by author James S. A. Corey beginning with “Leviathan Wakes”. There are 5 books in the “Expanse” series so far. If you’re a fan of the novels you’ll appreciate how closely the books are followed.TIP: The first five episodes are already available on Syfy.com. If you’re having trouble getting into the characters and plot, use those to get up to speed.The worlds created for ...... 
  4. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  5. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  6. 08/06/2015The Killer of Orphans (Orphan Documents) 
  7. 06/02/2015Homeopathic Marketing: Traveler on my Android is now calling itself VERSE. Allow me to translate that for the IBM Notes community... 
  8. 03/17/2015A review of British Airways Premium Economy Service – How to destroy customer goodwill all at once 
  9. 02/26/2015There's a bug in how @TextToTime() and @ToTime() process date strings related to international standards and browser settings. 
  10. 01/21/2015Delivering two new presentations at Developer Camp (EntwicklerCamp) 2015 in Germany 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.