Security Basics mailing list archives
Re: Secure host newbie - fun - humm - yup
From: Alvin Oga <alvin.sec () Virtual Linux-Consulting com>
Date: Wed, 7 Apr 2004 07:08:37 -0700 (PDT)
hi ya ranjeet
I'd say that most of the **avoidable** security **problems** are created by human beings (and network admins too). just going over the recent well-publicised and researched breakins: ftp.gnu.org - known ptrace kernel exploit (but no solution available) - TECHNOLOGY + HUMAN (cos admins decided to leave machine running and "risk it"). Linux kernel.org - new CVS pserver exploit - TECHNOLOGY. debian - weak password + new rsync exploit + known kernel exploit - HUMAN + TECHNOLOGY + HUMAN. gentoo - new rsync exploit + known kernel exploit - TECHNOLOGY + HUMAN. gnome - known rsync exploit - HUMAN.
good list and the sourceforge.net one - httpd running as nobody instead of uniq-id and passwd and, our fun folks at MS and all the managers/decision makers that insist there is no flat tire :-) "its MS... who are you :-) to disagree with MS" and, i think rsync and passwdless logins are just asking for a chain reaction of happy hackers gone to heaven when their "rm -rf ?" gets merrily propagated to other [automated dumb] boxes - until that happens to somebody, i guess its an uphill battle to be listed with wireless and vpn breakins that are publicly announced and covered and subsquent security changes and the wish list is i hope they fix openssh/openssl ... its gets uncomfy when ssh is exploitable and job security :-) and ... c ya alvin
(My interpretation: TECHNOLOGY - unexpectedly getting a flat tyre while you're driving. HUMAN - driving around despite knowing that you have a flat tyre.) I think this shows that the human factor is almost always present when security problems are discovered. Ranjeet.
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Secure host newbie - fun - humm Charles Highsmith (Apr 02)
- RE: Secure host newbie - fun - humm Ranjeet Shetye (Apr 05)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- Re: Secure host newbie - fun - humm Ranjeet Shetye (Apr 07)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- Re: Secure host newbie - fun - humm Ranjeet Shetye (Apr 07)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- Re: Secure host newbie - fun - humm Ranjeet Shetye (Apr 07)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- RE: Secure host newbie - fun - humm Ranjeet Shetye (Apr 05)
- Re: Secure host newbie - fun - humm Fredrik Hult (Apr 12)
- <Possible follow-ups>
- RE: Secure host newbie - fun - humm Chinnery, Paul (Apr 07)
- corrected HIPAA facts. Ranjeet Shetye (Apr 07)