Home page logo
/

basics logo Security Basics mailing list archives

RE: Secure host newbie - fun - humm
From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Mon, 05 Apr 2004 13:36:28 -0700


I'd say that most of the **avoidable** security **problems** are created
by human beings (and network admins too).

just going over the recent well-publicised and researched breakins:

ftp.gnu.org - known ptrace kernel exploit (but no solution available) -
TECHNOLOGY + HUMAN (cos admins decided to leave machine running and
"risk it").
Linux kernel.org - new CVS pserver exploit - TECHNOLOGY.
debian - weak password + new rsync exploit + known kernel exploit -
HUMAN + TECHNOLOGY + HUMAN.
gentoo - new rsync exploit + known kernel exploit - TECHNOLOGY + HUMAN.
gnome - known rsync exploit - HUMAN.

(My interpretation:
TECHNOLOGY - unexpectedly getting a flat tyre while you're driving.
HUMAN - driving around despite knowing that you have a flat tyre.)

I think this shows that the human factor is almost always present when
security problems are discovered.

Ranjeet.

On Fri, 2004-04-02 at 11:19, Charles Highsmith wrote:
Alvin, simon, Theadore! Doot doot da doot doot doot...  95% of security
is people management?  That's funny. No wonder half this world is
vulnerable to stupid and trivial security issues.

-----Original Message-----
From: Alvin Oga [mailto:alvin.sec () Virtual Linux-Consulting com] 
Sent: Thursday, April 01, 2004 7:05 PM
To: Simon Lemieux
Cc: security-basics () securityfocus com
Subject: Re: Secure host newbie - fun - humm


hi ya simon

i dont mean to scare ya but...

i'd venture to say ... 95% of security is just people management ...
and 5% is implementing a techie solution

...
- 90% of all security issues is internal ... not from outside the
internet

...

Thank you for your guidelines, though I fear they will not affect me 
since I'm alone with my best friend in this business...  and he knows 
nothing about linux and network.  All I have to fear comes from the 
internet.

you forgot to include *yourself* in the "internal [cr/h]ackers"
      - rm -rf /  will always be an important [security/backup] lesson
:-)

      - all the "security stuff" affects you... even if its only you
      and your own machine and nobody else in the house/bldg

see the links to SAN's top 7, top 20 security boo-boos
      http://www.sans.org/resources/errors.php
      http://www.sans.org/top20
      
      - more -
      http://www.Linux-sec.net

have fun
alvin

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
-- 

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]