Andrew Pollack's Blog
Technology, Family, Entertainment, Politics, and Random Noise| Professional Services | Second Signal | Presentations | Andrew's Blog | Support |
When is it too much security information?
By Andrew Pollack on 11/22/2006 at 10:45 PM ESTBetween working on our Lotusphere Security Jump-Start with Gabriella Davis and doing a recent "Penetration Test" at a client site, I have been reminded of some really important steps that all Notes users should be taking to ensure their private stuff remains private. The thing is, if I start blogging the steps I take to poke into things I shouldn't, I risk providing the mental munitions that could fuel our own form of "script-kiddies" in the Notes world. I have no desire to do that.
Nothing I'm talking about here represents a product vulnerability. In fact, I usually start a security review or a penetration test with the point that if the product is used as intended, I should get nowhere. It's stable and secure. In practice, however, convenience and expediency lead to compromises and configurations that leave vulnerability. This is the same in any environment and with any product.
Without talking at all about what I did or didn't find at any particular client site -- because that would be completely unprofessional -- I've been giving some real thought to putting a short whitepaper together listing in detail the things any healthy Notes based organization should be looking at. If I start down those roads, I risk giving out some really easy to try techniques.
You tell me. Would you take the attitude that since some people already know it, everyone should be told to make the point about protecting yourself? Would you keep a distribution list tight and just try to encourage IT departments to pay more attention? Where do you stand?
re: When is it too much security information?By Nathan T. Freeman on 11/23/2006 at 07:10 AM EST
re: When is it too much security information?By Lars Berntrop-Bos on 11/24/2006 at 05:00 AM EST
hear hear, Nathan.
And I would love to read and comment on the draft.
And I would love to read and comment on the draft.
re: When is it too much security information?By Warren Elsmore on 11/23/2006 at 09:06 AM EST
I wouldn't worry about making information public - it's out there already. It's
much more important to make sure that every admin knows how to make their
system secure.
I had the same dilemma with my 'Lock up your servers' BP session last year, but
there are open source Domino hacking tools out there already. Better to make
people aware of the risk than stick your head in the sand!!
much more important to make sure that every admin knows how to make their
system secure.
I had the same dilemma with my 'Lock up your servers' BP session last year, but
there are open source Domino hacking tools out there already. Better to make
people aware of the risk than stick your head in the sand!!
re: When is it too much security information?By Bob Balaban on 11/23/2006 at 10:15 AM EST
Sounds like a great redpaper
re: When is it too much security information?By Scott Gentzen on 11/23/2006 at 11:15 AM EST
There's never too much information available on security. If it exists,
there's a pretty good chance that the bad guys already know about it.
Especially when it's one of those situations typical of Notes/Domino
environments where the exposure and vulnurabilities tend to be due to bad
configuration or procedural issues rather than a flaw in the product itself.
There are guides out there by the NSA and other security orgs on how to lock
down Windows systems and that's not making those environments more dangerous to
be in.
there's a pretty good chance that the bad guys already know about it.
Especially when it's one of those situations typical of Notes/Domino
environments where the exposure and vulnurabilities tend to be due to bad
configuration or procedural issues rather than a flaw in the product itself.
There are guides out there by the NSA and other security orgs on how to lock
down Windows systems and that's not making those environments more dangerous to
be in.
re: When is it too much security information?By Rob McDonagh on 11/23/2006 at 11:47 AM EST
Write it all up. As the other have said, the information is usually already
available to the bad guys. This is a classic debate, and I think the winner by
acclamation is always that the information should be shared.
And give serious thought to the redpaper approach, too. One negative
consequence I can see in publishing this information is that you are currently
paid for your expertise in this area. If you give away the knowledge, you
should try to do so in a way that maximizes the amount of credit you receive
for doing so. Of course, you're no fool, so I'm probably trying to teach my
grandma how to suck eggs. :D
available to the bad guys. This is a classic debate, and I think the winner by
acclamation is always that the information should be shared.
And give serious thought to the redpaper approach, too. One negative
consequence I can see in publishing this information is that you are currently
paid for your expertise in this area. If you give away the knowledge, you
should try to do so in a way that maximizes the amount of credit you receive
for doing so. Of course, you're no fool, so I'm probably trying to teach my
grandma how to suck eggs. :D
re: When is it too much security information?By Ian Randall on 11/23/2006 at 06:46 PM EST
The purpose of a Redpaper such as you describe is to educate Administrators
about how to implement security for a Domino implementation correctly.
If that also educates "script-kiddies" & other hackers at the same time, so be
it. You can't base a sound security strategy on ignorance.
Perhaps after reading the document, some hackers might even be pursuaded to
move on to easier targets.
You should even consider creating or commercializing some of your more useful
Penetration Test code as a suite of basic security tools for clients and other
Notes specialists who are less skilled in Notes/Domino security vulnerabilities
than yourself.
Please consider putting me on the distribution list for your draft as well. :-)
about how to implement security for a Domino implementation correctly.
If that also educates "script-kiddies" & other hackers at the same time, so be
it. You can't base a sound security strategy on ignorance.
Perhaps after reading the document, some hackers might even be pursuaded to
move on to easier targets.
You should even consider creating or commercializing some of your more useful
Penetration Test code as a suite of basic security tools for clients and other
Notes specialists who are less skilled in Notes/Domino security vulnerabilities
than yourself.
Please consider putting me on the distribution list for your draft as well. :-)
I think your expectation is some magic secret. It isn't that.By Andrew Pollack on 11/23/2006 at 07:19 PM EST
There is no pre-built toolkit. That's part of what I do. I go in and ask to
be set up as a new contractor or employee and take the default configuration as
given to me as the basis from which to expand my access. I do this with some
understandings in place that I won't break anything, expose data where it
shouldn't be exposed, or generally make matters worse. If I find things I
could do, I document them. When I make examples, I always use a fictitious
name so that my examples can't be taken out of context (e.g. if I can relay
mail, I may do so using an obviously fake name like 'thebossofyou@company.com'
but would never use the actual boss's name.
I don't bring in with me a kit of pre-built scripts, and usually don't plug my
laptop into their corporate network (unless I'm also testing that). My laptop
is open and powered up for reference, note taking, and is frequently connected
to the public internet by way of cellular modem -- but not through the company
network at all.
I don't dumpster dive, don't do much in the way of human engineering (though it
is insanely easy to do most of the time) and keep in my sandbox generally.
Basically, I try to avoid the "Movie of the Week" stuff. If someone wants it,
fine, but it's very expensive and a lot of time goes into ground rules.
Sneaking around like a criminal can lead to big misunderstandings and serious
problems.
That said, yes -- there are common things I look for right away. At least one
of which is very likely to work in most environments.
The thing is, there are no secret security holes that I am aware of. There are
no "zero day exploits" to take advantage of in the product that I am somehow
privy to.
So far, I'm getting responses here from Notes guys -- mostly high end,
independent types. What about the rest of you?
Rob, suppose I posted something here and you came in to work a few days later
to find that several of your end users were reading the email files belonging
to their boss? Are you saying the fecal matter wouldn't impact upon the rotary
oscillating device for you?
Oh - one more thing to add here... As far as me keeping methods and practices
a secret to protect my income -- it's not my style. I don't believe my value
is decreased just because I tell people how I do things. Lots of people can
write code. Lots of people can do most of the things I do. I'd like to think
the value I offer as a whole is larger than the sum of those parts by
themselves. If you look at any of the presentations (currently displayed
'screen left') you'll find I purposely put as much of the meat on the pages as
I can, rather than making empty bullet points you have to pay me to get value
from. That's a practice I've had some arguments with other consultants about
in the past. I think the latter practice is disgusting, and driven by fear.
be set up as a new contractor or employee and take the default configuration as
given to me as the basis from which to expand my access. I do this with some
understandings in place that I won't break anything, expose data where it
shouldn't be exposed, or generally make matters worse. If I find things I
could do, I document them. When I make examples, I always use a fictitious
name so that my examples can't be taken out of context (e.g. if I can relay
mail, I may do so using an obviously fake name like 'thebossofyou@company.com'
but would never use the actual boss's name.
I don't bring in with me a kit of pre-built scripts, and usually don't plug my
laptop into their corporate network (unless I'm also testing that). My laptop
is open and powered up for reference, note taking, and is frequently connected
to the public internet by way of cellular modem -- but not through the company
network at all.
I don't dumpster dive, don't do much in the way of human engineering (though it
is insanely easy to do most of the time) and keep in my sandbox generally.
Basically, I try to avoid the "Movie of the Week" stuff. If someone wants it,
fine, but it's very expensive and a lot of time goes into ground rules.
Sneaking around like a criminal can lead to big misunderstandings and serious
problems.
That said, yes -- there are common things I look for right away. At least one
of which is very likely to work in most environments.
The thing is, there are no secret security holes that I am aware of. There are
no "zero day exploits" to take advantage of in the product that I am somehow
privy to.
So far, I'm getting responses here from Notes guys -- mostly high end,
independent types. What about the rest of you?
Rob, suppose I posted something here and you came in to work a few days later
to find that several of your end users were reading the email files belonging
to their boss? Are you saying the fecal matter wouldn't impact upon the rotary
oscillating device for you?
Oh - one more thing to add here... As far as me keeping methods and practices
a secret to protect my income -- it's not my style. I don't believe my value
is decreased just because I tell people how I do things. Lots of people can
write code. Lots of people can do most of the things I do. I'd like to think
the value I offer as a whole is larger than the sum of those parts by
themselves. If you look at any of the presentations (currently displayed
'screen left') you'll find I purposely put as much of the meat on the pages as
I can, rather than making empty bullet points you have to pay me to get value
from. That's a practice I've had some arguments with other consultants about
in the past. I think the latter practice is disgusting, and driven by fear.
If you posted something that would work on my servers...By Rob McDonagh on 11/23/2006 at 09:02 PM EST
...I'd take the necessary steps to fix it. I'm not saying my environment is
perfect, because I'm not quite that arrogant. But if I know of a potential
issue, I want to get it addressed. So if you posted something I wasn't aware
of, I'd fix it.
Now, if this is the hypothetical me, as opposed to the real me, and the
hypothetical me is not a reader of this blog and therefore doesn't see the
information in question, then the fecal matter might well strike the rotary air
circulation device. But honestly, if the hypothetical me isn't following the
Domino blogs and making the effort to stay informed (Google News keyword:
Domino, it ain't that hard), the hypothetical me isn't doing his job. Better
the issue be discovered sooner rather than later.
The answers above assume that the information isn't something already covered
in standard admin training and documentation. If it's more a case of most
admins forgetting simple things or not doing regular audits, then the fecal
matter darn well *ought* to be flying around.
perfect, because I'm not quite that arrogant. But if I know of a potential
issue, I want to get it addressed. So if you posted something I wasn't aware
of, I'd fix it.
Now, if this is the hypothetical me, as opposed to the real me, and the
hypothetical me is not a reader of this blog and therefore doesn't see the
information in question, then the fecal matter might well strike the rotary air
circulation device. But honestly, if the hypothetical me isn't following the
Domino blogs and making the effort to stay informed (Google News keyword:
Domino, it ain't that hard), the hypothetical me isn't doing his job. Better
the issue be discovered sooner rather than later.
The answers above assume that the information isn't something already covered
in standard admin training and documentation. If it's more a case of most
admins forgetting simple things or not doing regular audits, then the fecal
matter darn well *ought* to be flying around.
re: When is it too much security information?By Sean Burgess on 11/27/2006 at 11:29 PM EST
I have to agree with everyone else in saying that keeping information private
doesn't make something more secure. MS has been practicing that with
Windows/Office for years and it hasn't really worked for them.
When I am wearing my Sys Admin hat (which isn't too often), I would love to
have a cheat sheet that would allow me to very quickly make sure my system is
secure. I know it wouldn't cover everything, but it would cover more than I
would discover on my own.
doesn't make something more secure. MS has been practicing that with
Windows/Office for years and it hasn't really worked for them.
When I am wearing my Sys Admin hat (which isn't too often), I would love to
have a cheat sheet that would allow me to very quickly make sure my system is
secure. I know it wouldn't cover everything, but it would cover more than I
would discover on my own.
Other Recent Stories...
- 01/26/2023Better Running VirtualBox or VMWARE Virtual Machines on Windows 10+ Forgive me, Reader, for I have sinned. I has been nearly 3 years since my last blog entry. The truth is, I haven't had much to say that was worthy of more than a basic social media post -- until today. For my current work, I was assigned a new laptop. It's a real powerhouse machine with 14 processor cores and 64 gigs of ram. It should be perfect for running my development environment in a virtual machine, but it wasn't. VirtualBox was barely starting, and no matter how many features I turned off, it could ......
- 04/04/2020How many Ventilators for the price of those tanks the Pentagon didn't even want?This goes WAY beyond Trump or Obama. This is decades of poor planning and poor use of funds. Certainly it should have been addressed in the Trump, Obama, Bush, Clinton, Bush, and Reagan administrations -- all of which were well aware of the implications of a pandemic. I want a military prepared to help us, not just hurt other people. As an American I expect that with the ridiculous funding of our military might, we are prepared for damn near everything. Not just killing people and breaking things, but ......
- 01/28/2020Copyright Troll WarningThere's a copyright troll firm that has automated reverse-image searches and goes around looking for any posted images that they can make a quick copyright claim on. This is not quite a scam because it's technically legal, but it's run very much like a scam. This company works with a few "clients" that have vast repositories of copyrighted images. The trolls do a reverse web search on those images looking for hits. When they find one on a site that looks like someone they can scare, they work it like ......
- 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino server
- 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concerned
- 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me!
- 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.
- 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino?
- 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back.
- 02/15/2018Andrew’s Proposed Gun Laws
And put me on the distribution list for your draft. :-)