Security Basics mailing list archives
RE: Secure host newbie - fun - humm
From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Mon, 05 Apr 2004 13:36:28 -0700
I'd say that most of the **avoidable** security **problems** are created by human beings (and network admins too). just going over the recent well-publicised and researched breakins: ftp.gnu.org - known ptrace kernel exploit (but no solution available) - TECHNOLOGY + HUMAN (cos admins decided to leave machine running and "risk it"). Linux kernel.org - new CVS pserver exploit - TECHNOLOGY. debian - weak password + new rsync exploit + known kernel exploit - HUMAN + TECHNOLOGY + HUMAN. gentoo - new rsync exploit + known kernel exploit - TECHNOLOGY + HUMAN. gnome - known rsync exploit - HUMAN. (My interpretation: TECHNOLOGY - unexpectedly getting a flat tyre while you're driving. HUMAN - driving around despite knowing that you have a flat tyre.) I think this shows that the human factor is almost always present when security problems are discovered. Ranjeet. On Fri, 2004-04-02 at 11:19, Charles Highsmith wrote:
Alvin, simon, Theadore! Doot doot da doot doot doot... 95% of security is people management? That's funny. No wonder half this world is vulnerable to stupid and trivial security issues. -----Original Message----- From: Alvin Oga [mailto:alvin.sec () Virtual Linux-Consulting com] Sent: Thursday, April 01, 2004 7:05 PM To: Simon Lemieux Cc: security-basics () securityfocus com Subject: Re: Secure host newbie - fun - humm hi ya simon i dont mean to scare ya but...i'd venture to say ... 95% of security is just people management ... and 5% is implementing a techie solution...- 90% of all security issues is internal ... not from outside theinternet ...Thank you for your guidelines, though I fear they will not affect me since I'm alone with my best friend in this business... and he knows nothing about linux and network. All I have to fear comes from the internet.you forgot to include *yourself* in the "internal [cr/h]ackers" - rm -rf / will always be an important [security/backup] lesson :-) - all the "security stuff" affects you... even if its only you and your own machine and nobody else in the house/bldg see the links to SAN's top 7, top 20 security boo-boos http://www.sans.org/resources/errors.php http://www.sans.org/top20 - more - http://www.Linux-sec.net have fun alvin ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
-- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye2 at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Secure host newbie - fun - humm Charles Highsmith (Apr 02)
- RE: Secure host newbie - fun - humm Ranjeet Shetye (Apr 05)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- Re: Secure host newbie - fun - humm Ranjeet Shetye (Apr 07)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- Re: Secure host newbie - fun - humm Ranjeet Shetye (Apr 07)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- Re: Secure host newbie - fun - humm Ranjeet Shetye (Apr 07)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- Re: Secure host newbie - fun - humm Barry Fitzgerald (Apr 07)
- RE: Secure host newbie - fun - humm Ranjeet Shetye (Apr 05)
- Re: Secure host newbie - fun - humm Fredrik Hult (Apr 12)
- <Possible follow-ups>
- RE: Secure host newbie - fun - humm Chinnery, Paul (Apr 07)