RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security

From: Curt Purdy (purdy_at_tecman.com)
Date: 10/25/03

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Re: HTML Help API - Privilege Escalation" 
    To: <Glenn_Everhart@bankone.com>, <lcamtuf@ghettot.org>
Date: Fri, 24 Oct 2003 20:44:26 -0500

    > I agree that inherent OS features have much to do with their
    > security, but must observe that OSs like VMS and OS/400 have
    > very few security issues

    <snip>

    Agreed, I believe OS/400 may be the most secure out-of-the-box system out
    there. But never underestimate a lousy vendor. My last audit was for a
    HIPAA client that had all patient records on an AS/400. I thought I didn't
    have a chance in heck of touching them. On the AS/400 side that was true,
    with extremely granular access, allowing only certain users to certain data
    that was unreachable otherwise.

    However their main application happened to create a world readable/writeable
    windows share of the records. I simply plugged my laptop into an empty wall
    socket, browsed the ip network (not even logged into anything) and saw,
    copied, and wrote to any record of my choosing. I was so shocked it took me
    a few minutes to realize I just hit a grand slam.

    Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
    Information Security Engineer
    DP Solutions

    ----------------------------------------

    If you spend more on coffee than on IT security, you will be hacked.
    What's more, you deserve to be hacked.
    -- White House cybersecurity adviser Richard Clarke

     

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Re: HTML Help API - Privilege Escalation"

    Relevant Pages

    • Re: Its Ann Coulter Time Again
      ... base judgement on actual events that can be observed and documented." ... There has been a lot of work done on "homeland security" since 9/11 ... and security etc. Inceased security at airports, alone, is something ... you can observe. ...
      (rec.gambling.poker)
    • Re: Its Ann Coulter Time Again
      ... base judgement on actual events that can be observed and documented." ... There has been a lot of work done on "homeland security" since 9/11 ... and security etc. Inceased security at airports, alone, is something ... you can observe. ...
      (rec.gambling.poker)
    • Re: Linux and Viruses (again)
      ... how many of those OSs are still in use, ... None of those provide the security and clustering power of VMS ... ...
      (comp.os.linux.security)
    • Re: SBS Fax
      ... Observe the default settings. ... The Everyone security group has limited permissions related to faxing. ... Select Everyone on the Advanced Security Settings for Fax dialogbox and click Edit. ...
      (microsoft.public.windows.server.sbs)
    • Re: OpenVMS security?
      ... OpenVMS is mostly written in a variety of type-safe languages, ... He is a security expert - ... The VMS kernel is mostly a DEC language claled BLISS and VAX Assembler. ... Getting privileges you don't have is ...
      (comp.os.vms)
    • Quantcast