Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

When is it too much security information?

By Andrew Pollack on 11/22/2006 at 10:45 PM EST

Between working on our Lotusphere Security Jump-Start with Gabriella Davis and doing a recent "Penetration Test" at a client site, I have been reminded of some really important steps that all Notes users should be taking to ensure their private stuff remains private. The thing is, if I start blogging the steps I take to poke into things I shouldn't, I risk providing the mental munitions that could fuel our own form of "script-kiddies" in the Notes world. I have no desire to do that.

Nothing I'm talking about here represents a product vulnerability. In fact, I usually start a security review or a penetration test with the point that if the product is used as intended, I should get nowhere. It's stable and secure. In practice, however, convenience and expediency lead to compromises and configurations that leave vulnerability. This is the same in any environment and with any product.

Without talking at all about what I did or didn't find at any particular client site -- because that would be completely unprofessional -- I've been giving some real thought to putting a short whitepaper together listing in detail the things any healthy Notes based organization should be looking at. If I start down those roads, I risk giving out some really easy to try techniques.

You tell me. Would you take the attitude that since some people already know it, everyone should be told to make the point about protecting yourself? Would you keep a distribution list tight and just try to encourage IT departments to pay more attention? Where do you stand?


There are  - loading -  comments....

re: When is it too much security information?By Nathan T. Freeman on 11/23/2006 at 07:10 AM EST
Security through obscurity helps no one. Write up what you know.

And put me on the distribution list for your draft. :-)
re: When is it too much security information?By Lars Berntrop-Bos on 11/24/2006 at 05:00 AM EST
hear hear, Nathan.

And I would love to read and comment on the draft.
re: When is it too much security information?By Warren Elsmore on 11/23/2006 at 09:06 AM EST
I wouldn't worry about making information public - it's out there already. It's
much more important to make sure that every admin knows how to make their
system secure.

I had the same dilemma with my 'Lock up your servers' BP session last year, but
there are open source Domino hacking tools out there already. Better to make
people aware of the risk than stick your head in the sand!!
re: When is it too much security information?By Bob Balaban on 11/23/2006 at 10:15 AM EST
Sounds like a great redpaper
re: When is it too much security information?By Scott Gentzen on 11/23/2006 at 11:15 AM EST
There's never too much information available on security. If it exists,
there's a pretty good chance that the bad guys already know about it.
Especially when it's one of those situations typical of Notes/Domino
environments where the exposure and vulnurabilities tend to be due to bad
configuration or procedural issues rather than a flaw in the product itself.
There are guides out there by the NSA and other security orgs on how to lock
down Windows systems and that's not making those environments more dangerous to
be in.
re: When is it too much security information?By Rob McDonagh on 11/23/2006 at 11:47 AM EST
Write it all up. As the other have said, the information is usually already
available to the bad guys. This is a classic debate, and I think the winner by
acclamation is always that the information should be shared.

And give serious thought to the redpaper approach, too. One negative
consequence I can see in publishing this information is that you are currently
paid for your expertise in this area. If you give away the knowledge, you
should try to do so in a way that maximizes the amount of credit you receive
for doing so. Of course, you're no fool, so I'm probably trying to teach my
grandma how to suck eggs. :D
re: When is it too much security information?By Ian Randall on 11/23/2006 at 06:46 PM EST
The purpose of a Redpaper such as you describe is to educate Administrators
about how to implement security for a Domino implementation correctly.

If that also educates "script-kiddies" & other hackers at the same time, so be
it. You can't base a sound security strategy on ignorance.

Perhaps after reading the document, some hackers might even be pursuaded to
move on to easier targets.

You should even consider creating or commercializing some of your more useful
Penetration Test code as a suite of basic security tools for clients and other
Notes specialists who are less skilled in Notes/Domino security vulnerabilities
than yourself.

Please consider putting me on the distribution list for your draft as well. :-)
I think your expectation is some magic secret. It isn't that.By Andrew Pollack on 11/23/2006 at 07:19 PM EST
There is no pre-built toolkit. That's part of what I do. I go in and ask to
be set up as a new contractor or employee and take the default configuration as
given to me as the basis from which to expand my access. I do this with some
understandings in place that I won't break anything, expose data where it
shouldn't be exposed, or generally make matters worse. If I find things I
could do, I document them. When I make examples, I always use a fictitious
name so that my examples can't be taken out of context (e.g. if I can relay
mail, I may do so using an obviously fake name like 'thebossofyou@company.com'
but would never use the actual boss's name.

I don't bring in with me a kit of pre-built scripts, and usually don't plug my
laptop into their corporate network (unless I'm also testing that). My laptop
is open and powered up for reference, note taking, and is frequently connected
to the public internet by way of cellular modem -- but not through the company
network at all.

I don't dumpster dive, don't do much in the way of human engineering (though it
is insanely easy to do most of the time) and keep in my sandbox generally.
Basically, I try to avoid the "Movie of the Week" stuff. If someone wants it,
fine, but it's very expensive and a lot of time goes into ground rules.
Sneaking around like a criminal can lead to big misunderstandings and serious
problems.

That said, yes -- there are common things I look for right away. At least one
of which is very likely to work in most environments.

The thing is, there are no secret security holes that I am aware of. There are
no "zero day exploits" to take advantage of in the product that I am somehow
privy to.

So far, I'm getting responses here from Notes guys -- mostly high end,
independent types. What about the rest of you?

Rob, suppose I posted something here and you came in to work a few days later
to find that several of your end users were reading the email files belonging
to their boss? Are you saying the fecal matter wouldn't impact upon the rotary
oscillating device for you?

Oh - one more thing to add here... As far as me keeping methods and practices
a secret to protect my income -- it's not my style. I don't believe my value
is decreased just because I tell people how I do things. Lots of people can
write code. Lots of people can do most of the things I do. I'd like to think
the value I offer as a whole is larger than the sum of those parts by
themselves. If you look at any of the presentations (currently displayed
'screen left') you'll find I purposely put as much of the meat on the pages as
I can, rather than making empty bullet points you have to pay me to get value
from. That's a practice I've had some arguments with other consultants about
in the past. I think the latter practice is disgusting, and driven by fear.
If you posted something that would work on my servers...By Rob McDonagh on 11/23/2006 at 09:02 PM EST
...I'd take the necessary steps to fix it. I'm not saying my environment is
perfect, because I'm not quite that arrogant. But if I know of a potential
issue, I want to get it addressed. So if you posted something I wasn't aware
of, I'd fix it.

Now, if this is the hypothetical me, as opposed to the real me, and the
hypothetical me is not a reader of this blog and therefore doesn't see the
information in question, then the fecal matter might well strike the rotary air
circulation device. But honestly, if the hypothetical me isn't following the
Domino blogs and making the effort to stay informed (Google News keyword:
Domino, it ain't that hard), the hypothetical me isn't doing his job. Better
the issue be discovered sooner rather than later.

The answers above assume that the information isn't something already covered
in standard admin training and documentation. If it's more a case of most
admins forgetting simple things or not doing regular audits, then the fecal
matter darn well *ought* to be flying around.
re: When is it too much security information?By Sean Burgess on 11/27/2006 at 11:29 PM EST
I have to agree with everyone else in saying that keeping information private
doesn't make something more secure. MS has been practicing that with
Windows/Office for years and it hasn't really worked for them.

When I am wearing my Sys Admin hat (which isn't too often), I would love to
have a cheat sheet that would allow me to very quickly make sure my system is
secure. I know it wouldn't cover everything, but it would cover more than I
would discover on my own.


Other Recent Stories...

  1. 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects. In twenty five years, I don't think I've ever written an entry like this, but if you need the kind of work I do now would be a great time to get in touch. Both of the big projects I had lined up for late summer and early fall have been placed on hold and will be that way for a while. With the kids now all off at college and careers, I'm open to more travel than such than I have been in decades, but unless something else comes along, I'll be here working on updates to Second Signal and other things that ...... 
  2. 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino?We need to address some biases here. IBM has made a deal under which the Notes & Domino software and intellectual property is now being developed and maintained by HCL America. HCL America is part of the very large "HCL Technologies" company that has grown from its roots in India to become an 8 Billion Dollar company with a global presence in the IT Industry. You could be excused for initially believing, as many people do when they hear this, that "they've outsourced the code to India where they'll milk it ...... 
  3. 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back.BOOM. This will be as important for the platform as Traveler. If your company has ditched Notes and Domino, I feel sorry for you. For companies that do use Notes/Domino this is a game changer and Apple should be paying attention. Here's why: There are hundreds of little Notes client applications you'd never spend the time and money to build and deploy for your internal user base on IOS that we use Notes for all the time (those of us still using it). Now, those are suddenly ALL available on the iPad. ...... 
  4. 02/15/2018Andrew’s Proposed Gun Laws 
  5. 05/05/2016Is the growing social-sourced economy the modern back door into socialism? 
  6. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertising 
  7. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction 
  8. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  9. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  10. 08/06/2015The Killer of Orphans (Orphan Documents) 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.