× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2005

RE: IBM's benevolent hacking

Joe, that's not necessarily the case.

Here we use a 3rd party penetration test firm (not IBM) to probe our
network & systems.  There are many things that can be revealed by the
tests.  Typically, you'll want to do at least 2 tests.  The first is to
find what your exposures are because chances are you don't know about
some of them.  Then you analyze the report from the vendor and close all
the holes you can.  Then you do it again to see the new result.  

Ideally you do it continually to find new exposures as they occur, be
they from new vulnerabilities being identified to new servers going
online to changes in the infrastructure.  They don't have to mean your
security policy or implementation is bad.  Our service acknowledges that
a perfect score is practically unattainable for any network connected to
the Internet.

Taking Windows as an example, you might have an IIS server that
completely passes the pen tests one week but has three exposures the
next.  That's more than likely the result of new vulnerabilities being
identified and updates to the pen test process than it is a sudden lapse
in the server's security.

Even if Dekko's (I see the posts and keep thinking his name is Rob
Dekko...) security is poor now, at least they're working on it.  Chances
are, though, that it's not poor but simply hasn't been maintained as
well as it could be.  And that applies to all levels of the
infrastructure: firewalls, routers, VPNs, web & app servers (hardware +
OS), web & app servers (web/app server application a la IIS, Apache,
WebSphere), and the underlying applications.  All the vendors, from
Cisco to IBM to Oracle, etc. all have flaws that get uncovered from time
to time.

And of course Rob wouldn't want to reveal on a public forum what their
issues are.  Anyone reading the message could potentially exploit the
threat before Dekko resolves the issues.  Maybe Rob can give us a sample
or two after they're satisfied they've solved the problems.  If not,
maybe just a list of PTFs...

Oh, here's the link to IBM's security assessment services:
http://www-1.ibm.com/services/us/index.wss/of_services/bcs/a1002367

John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787  F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: Joe Pluta [mailto:joepluta@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, January 27, 2005 12:04 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: IBM's benevolent hacking

I'm not sure what this paragraph means, but I'll bite.  It sounds like
your security setup is pretty terrible.  Additionally, it sounds like
you're blaming at least some of your problems on OS/400, but you're not
going tell us what those problems are.

If that's the case, then maybe you can tell us what part of IBM you
contracted with, and exactly what you contracted to them for, and that
way your post might have some benefit to the rest of us.

Joe


> From: rob@xxxxxxxxx
> 
> Contracted with IBM to do benevolent hacking.  Greatest outsourcing
we've
> ever done.  Got this 40+ page document.  It listed several "incidents"
we
> need to address.  I am not permitted to post them on this list.  On
thing
> that I thought was pretty sharp, IBM called and said "person ... went
to
> website ... and that tried to install some malicious code.  You need
to
> block ...".  Now I have to open a new flurry of pmr's that I would
love to
> post to this list but a rather stern warning from the boss, and, well,

> that ain't going to happen.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.




This email is for the use of the intended recipient(s) only.  If you have 
received this email in error, please notify the sender immediately and then 
delete it.  If you are not the intended recipient, you must not keep, use, 
disclose, copy or distribute this email without the author's prior permission.  
We have taken precautions to minimize the risk of transmitting software 
viruses, but we advise you to carry out your own virus checks on any attachment 
to this message.  We cannot accept liability for any loss or damage caused by 
software viruses.  The information contained in this communication may be 
confidential and may be subject to the attorney-client privilege. If you are 
the intended recipient and you do not wish to receive similar electronic 
messages from us in future then please respond to the sender to this effect.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.