RE: [Security400] How paranoid do you get?

["Walden H. Leverich" <WaldenL@xxxxxxxxxxxxxxx>]

Mike,

There are two ways one can steal data, break in and get it from the database
or grab it on the wire as it gets transmitted. You're asking about grabbing
it from the wire, no?

Think about the data path. The data (probably) goes:

1) Out the back of your machine

2) over your internal lan (which presumably is Cat 5, home runs to a switch
(not a hub) in the machine room)

3) Through your router to the outside world

4) Down your T1 to your ISP

5) Over his OC3 to his ISP

6) Over his OC3 to your payroll companies ISP

7) Over the payroll companies T1 to their router

8) Through their router to their iSeries (also plugged into a switch)

Where in this path to you think it's likely that someone will grab your
data? Is it possible, sure, anything  is possible, but it takes a fair bit
of equipment and skill to dig up a OC3 line between two ISPs and tap in
without bringing the line down. Then to watch all the data and find
something interesting... The only people doing that are the FBI with
Carnivore[1].

-Walden

[1] Oh damn, I mentioned Carnivore on an open line, I guess I'll have the
info police here this afternoon <G>


------------
Walden H Leverich III
President
Tech Software
(516) 627-3800 x11
(208) 692-3308 eFax
WaldenL@TechSoftInc.com
http://www.TechSoftInc.com

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)



-----Original Message-----
From: Wills, Mike N. (TC) [mailto:MNWills@taylorcorp.com]
Sent: Monday, July 29, 2002 14:17
To: 'security400@midrange.com'
Subject: RE: [Security400] How paranoid do you get?


I guess what I am looking for mostly is. When I transmit any kind of data,
not matter if it is in Client Access, FTP, Client-server, http, or anything
else. How concerned should we be if our payroll system's client access
doesn't use SSL?

-----Original Message-----
From: Andy Nolen-Parkhouse [mailto:aparkhouse@attbi.com]
Sent: Monday, July 29, 2002 11:49 AM
To: security400@midrange.com
Subject: RE: [Security400] How paranoid do you get?


Mike,

Do you mean 'transmissions'?

Andy Nolen-Parkhouse

> -----Original Message-----
> From: security400-admin@midrange.com [mailto:security400-
> admin@midrange.com] On Behalf Of Wills, Mike N. (TC)
> Sent: Monday, July 29, 2002 11:29 AM
> To: 'security400@midrange.com'
> Subject: [Security400] How paranoid do you get?
>
> How paranoid do you get about data transitions on a WAN? I am talking
> about Payroll data, financial reports etc.
>
> Mike
> _______________________________________________
> This is the Security Administration on the AS400 / iSeries
(Security400)
> mailing list
> To post a message email: Security400@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/security400
> or email: Security400-request@midrange.com
> Before posting, please take a moment to review the archives at
> http://archive.midrange.com/security400.


_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list To post a message email: Security400@midrange.com To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/security400
or email: Security400-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.
_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list To post a message email: Security400@midrange.com To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/security400
or email: Security400-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.