Home page logo

basics logo Security Basics mailing list archives

Re: Secure host newbie - fun - humm - yup
From: Alvin Oga <alvin.sec () Virtual Linux-Consulting com>
Date: Wed, 7 Apr 2004 07:08:37 -0700 (PDT)

hi ya ranjeet
I'd say that most of the **avoidable** security **problems** are created
by human beings (and network admins too).

just going over the recent well-publicised and researched breakins:

ftp.gnu.org - known ptrace kernel exploit (but no solution available) -
TECHNOLOGY + HUMAN (cos admins decided to leave machine running and
"risk it").
Linux kernel.org - new CVS pserver exploit - TECHNOLOGY.
debian - weak password + new rsync exploit + known kernel exploit -
gentoo - new rsync exploit + known kernel exploit - TECHNOLOGY + HUMAN.
gnome - known rsync exploit - HUMAN.

good list 

and the sourceforge.net one - httpd running as nobody instead of uniq-id
and passwd

and, our fun folks at MS and all the managers/decision makers that insist
there is no flat tire :-) "its MS... who are you :-) to disagree with MS"

and, i think rsync and passwdless logins are just asking for a chain
reaction of happy hackers  gone to heaven when their "rm -rf ?" gets
merrily propagated to other [automated dumb] boxes
        - until that happens to somebody, i guess its an uphill battle
        to be listed with wireless and vpn breakins that are publicly
        announced and covered and subsquent security changes

and the wish list is i hope they fix openssh/openssl ... its gets uncomfy
when ssh is exploitable

and job security :-)

and ...
c ya

(My interpretation:
TECHNOLOGY - unexpectedly getting a flat tyre while you're driving.
HUMAN - driving around despite knowing that you have a flat tyre.)

I think this shows that the human factor is almost always present when
security problems are discovered.


Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]