Verily, at 02:41 PM 5/29/96 -0400, Fred Cohen <fc @
net> did write:
While I have not visited all.net's home page regarding this topic,
I have some security concerns about the following announcement:
>Announcing: The Internet Security Survey
> The intent of the ISS is to provide simple answers to simple
>questions that decision makers have about information protection.
> The ISS was created and is operated by Management Analytics,
>Rayzarb Associates, and Information Integrity for the benefit of the
>global computing community.
Trying to update our marketing database? 8^)
>The ISS is differentiated from other similar surveys in several ways:
> 1) The data and results from our monthly survey will be
> published via the Web so that anyone can use the raw data to do
> their own analysis and report their own results.
*Anyone* can access the raw data? What about the security risks of the
companies who participate in the survey? Since the data is being collected
over the web, what measures are in place to ensure that the data being
transmitted is secure (and kept confidential)?
Also, anyone participating in this should be aware that they will probably
be revealing information about their security which should remain secret.
> 2) The data collection process is designed to assure anonymity
> while allowing authenticity and verification of results.
Personally, I would like to see some clarification of how anonymity is
assured, while allowing authenticity & verification of results AND that
the data is accurate.
> 3) Data can be provided by anyone at any level within an
> organization, so that a LAN manager can report data just as well
> as a vice president, with the results being meaningful in both
Again, how is the accuracy of the data being maintained? What if two
reports from the same company indicate different results? Wht is the
anticipated margin of error? How is this figure arrived at?
> 4) While most surveys collect a lot of data from each
> participant once, the ISS collects small amounts of data from a
> lot of sources many times. This allows people to participate in
> smaller "chunks".
> 5) We have taken care in our surveys to assure that, by default,
> answers are treated as having minimal validity. By selecting
> the proper defaults, we hope to get respondents to think about
> validity issues, or at a minimum, to treat casual answers as
> just that.
>To participate in the survey, use URL:
> and select "Internet Security Survey"
Last, but not least, I see Ian J-B as the apparent sender (from the bottom
of the mail, yet it appears to come from Fred Cohen's account. ??? 8^( ???
This discrepancy should necessitate caution on the participant's mind before
participating in the survey. The mail could be from an internal employee
who has permission to use Fred's account OR it could be a forged mail and
the hacker just slipped.
FWIW, other surveys (such as CSI, etc) are performed which use Snail-mail
(the postal service) as the transport media. While the advertising needed
to reach participants is significantly more than the Internet (which is
essentially free), it is probably more secure than using the Internet.
If I were a hacker (I'm not), I would set my sniffer to dump the traffic
heading to/from all.net having the trigger set to Internet Security Survey
and to grab the first 1-5K of raw data. This assumes a couple of fairly
large disks are being used, but OTOH, how many systems can a hacker crack
in his/her lifetime?
Food for thought.
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist