RE: Hacked web server

[Ryan Yagatich <ryany () pantek com>]

Jason et al,
        You are absolutely correct, anything that automatically updates a
system is bringing in additional issues itself (i.e. the updating software
and any updates that haven't been tested). That is part of what makes
Pantek Server Security Guard better than things like Windows automatic
updates, or things like 'auto-rpm'. I don't usually like to plug commercial
products on lists like this, however with Pantek Server Security Guard the
updates are applied manually. Since this is not meant to be an
advertisement, you can find information regarding it at
http://www.pantek.com/security/ .
        When I referenced the Automatic Updates, I didn't really explain 
what I was getting at enough. Basically, my point of view is that not only 
is it there for the people whom are uneducated or do not have the 
resources to go to windowsupdate.microsoft.com but maybe it can be 
something to alert that there are vulnerabilities out there besides 
service pack updates to the systems. 
        Now, there are some pitfalls to it because upon the first
initialization of it (i believe by default) the configuration is set to
automatically download and automatically install them so the user doesn't
have to do any work. The user just clicks on OK to be ready to install the
automatic updates. This is a problem because it doesn't really alert them
that security is an issue, but that the computer mysteriously can re-boot
some mornings at 03:00. I think that a notifying service of some form
could be more successful at keeping people from updating and not paying
attention to what is being updated. 
        This then brings in the fact that there are services like the
above mentioned, where companies will install the updates on the system
for you. This to many comes across with things like 'if Microsoft already
does it (or if auto-rpm already does it), why do i need to pay for a
service, or for one of my administrators to take the precious time out of
their day to do it'. Things like if the company has their own custom
written software on the system that is linked against specific libraries
and versions of those libraries, the software could break at any point 
because of the update. 
        But, as I mentioned, you are absolutely correct. Anything that 
automatically downloads and executes applications is by far something that 
brings in more elements of insecurity, but when used appropriately (i.e. 
using it more as a notification service than an installation/update 
service) it _can_ bring in an bit of knowledge to the end administrator 
that there are applications that need to be updated on a regular basis. 
Then again, if they don't care, then its completely useless.

,_____________________________________________________,
\ Ryan Yagatich                     support () pantek com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /
\___5AD777E93D62CC6D850A4DD3F2F730F882532B502A777873___\

On Mon, 20 Jan 2003, Jason Coombs wrote:

> Ryan,
>
> You seem to be implying with your comments below that an auto-updater is a
> *good thing* that makes computer systems more secure. This is just not true.
> A computer system designed to do things without your knowledge or permission
> that runs services that you don't need or want and can't turn off is the
> starting point of insecurity. You cannot add yet another complex automated
> service that downloads and executes code automatically to an already complex
> bug- and service-ridden infrastructure and think this makes everything okay
> now.
>
> Many computerized systems would be far better off (more secure, cheaper to
> operate, etc.) using a couple full-time humans with calculators, pen and
> paper, and maybe even telephones provided the staff receive proper security
> training.
>
> > Microsoft has created the 'auto update' scheduler which runs regularly
> > 'behind the scenes' that the administrator can use to have it
> > automatically apply these patches.
> >      How is it that with services like this available that people are
> > still not aware of them? Or, could it be that they are well aware of them
> > but are falling victim to the notion that there really is no need for
> > security in general, and that they are not at risk?

<original message snipped>




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com