RE: IBM's benevolent hacking -- MIDRANGE-L

Quite clearly spoken.  Thank you John.

Some are OS/400 TCP/IP specific.  I've opened PMR's and was told the newer 
level of service is not offered under OS/400.  There was no plan on going 
to that level of service.  So I don't know if I should throw chairs, open 
DCR's or both.

Rob Berendt
-- 
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





"Jones, John (US)" <John.Jones@xxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
01/27/2005 01:04 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
cc

Subject
RE: IBM's benevolent hacking






Joe, that's not necessarily the case.

Here we use a 3rd party penetration test firm (not IBM) to probe our
network & systems.  There are many things that can be revealed by the
tests.  Typically, you'll want to do at least 2 tests.  The first is to
find what your exposures are because chances are you don't know about
some of them.  Then you analyze the report from the vendor and close all
the holes you can.  Then you do it again to see the new result. 

Ideally you do it continually to find new exposures as they occur, be
they from new vulnerabilities being identified to new servers going
online to changes in the infrastructure.  They don't have to mean your
security policy or implementation is bad.  Our service acknowledges that
a perfect score is practically unattainable for any network connected to
the Internet.

Taking Windows as an example, you might have an IIS server that
completely passes the pen tests one week but has three exposures the
next.  That's more than likely the result of new vulnerabilities being
identified and updates to the pen test process than it is a sudden lapse
in the server's security.

Even if Dekko's (I see the posts and keep thinking his name is Rob
Dekko...) security is poor now, at least they're working on it.  Chances
are, though, that it's not poor but simply hasn't been maintained as
well as it could be.  And that applies to all levels of the
infrastructure: firewalls, routers, VPNs, web & app servers (hardware +
OS), web & app servers (web/app server application a la IIS, Apache,
WebSphere), and the underlying applications.  All the vendors, from
Cisco to IBM to Oracle, etc. all have flaws that get uncovered from time
to time.

And of course Rob wouldn't want to reveal on a public forum what their
issues are.  Anyone reading the message could potentially exploit the
threat before Dekko resolves the issues.  Maybe Rob can give us a sample
or two after they're satisfied they've solved the problems.  If not,
maybe just a list of PTFs...

Oh, here's the link to IBM's security assessment services:
http://www-1.ibm.com/services/us/index.wss/of_services/bcs/a1002367

John A. Jones, CISSP
Americas Information Security Officer
Jones Lang LaSalle, Inc.
V: +1-630-455-2787  F: +1-312-601-1782
john.jones@xxxxxxxxxx

-----Original Message-----
From: Joe Pluta [mailto:joepluta@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, January 27, 2005 12:04 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: IBM's benevolent hacking

I'm not sure what this paragraph means, but I'll bite.  It sounds like
your security setup is pretty terrible.  Additionally, it sounds like
you're blaming at least some of your problems on OS/400, but you're not
going tell us what those problems are.

If that's the case, then maybe you can tell us what part of IBM you
contracted with, and exactly what you contracted to them for, and that
way your post might have some benefit to the rest of us.

Joe


> From: rob@xxxxxxxxx
> 
> Contracted with IBM to do benevolent hacking.  Greatest outsourcing
we've
> ever done.  Got this 40+ page document.  It listed several "incidents"
we
> need to address.  I am not permitted to post them on this list.  On
thing
> that I thought was pretty sharp, IBM called and said "person ... went
to
> website ... and that tried to install some malicious code.  You need
to
> block ...".  Now I have to open a new flurry of pmr's that I would
love to
> post to this list but a rather stern warning from the boss, and, well,

> that ain't going to happen.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.




This email is for the use of the intended recipient(s) only.  If you have 
received this email in error, please notify the sender immediately and 
then delete it.  If you are not the intended recipient, you must not keep, 
use, disclose, copy or distribute this email without the author's prior 
permission.  We have taken precautions to minimize the risk of 
transmitting software viruses, but we advise you to carry out your own 
virus checks on any attachment to this message.  We cannot accept 
liability for any loss or damage caused by software viruses.  The 
information contained in this communication may be confidential and may be 
subject to the attorney-client privilege. If you are the intended 
recipient and you do not wish to receive similar electronic messages from 
us in future then please respond to the sender to this effect.

-- 
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.