Re: "Self defense" Attack scripts

From: Hal Flynn (flynn@securityfocus.com)
Date: 08/14/01


Date: Tue, 14 Aug 2001 00:07:12 -0600 (MDT)
From: Hal Flynn <flynn@securityfocus.com>
To: <focus-linux@securityfocus.com>
Subject: Re: "Self defense" Attack scripts
Message-ID: <Pine.GSO.4.30.0108132352190.2025-100000@mail>


> I'm not going to comment on the legality or advisability of this,
> but IMO anyone running IIS exposed to the internet (behind a FW or not)
> *may* be naive, but they are not "innocent", then have been well and
> true co-opted by the forces of ignorance and stupidity, and morally (not
> legally etc.) they deserve whatever they get.

I normally wouldn't have let this post through, but it brought up a good
point that I wanted to ping on.

For those of you thinking the solution is Apache, or any other web server
OTHER than IIS, you're only lying to yourself.

Granted, IIS has had it's share, and perhaps it's share as well as a few
other web server's shares of ills. However, it's still not the end all be
all solution. Might I remind you all of Ramen, or Lion when it comes to
worms? Perhaps you remember a few of the vulnerabilities in other web
servers, as well as the directory traversal vulnerability in Apache 1.3.17
and previous?

Now for your own enjoyment (and sleepless nights), imagine throwing
something such as a PHP Billboard on the web server, or one of the many
poorly written CGIs. Your scope of vulnerability dramatically increases.

I'm not an OS bigot by any means, and I don't particularly care for one
operating system over the other. I do think every operating system has
it's place. That's a discussion, however, that's outside of the scope of
this list, and best over beverages.

The point is that Linux, or UNIX proper, and Apache, aren't necessarily
the end all be all of security. The granularity of the operating system,
as well as the ability to hack it at will gives users and administrators
greater flexibility and control in designing stable, hardened, and secure
systems. The power is entirely yours, however.

Just remember three things:
1) Eventually, there's going to be a remote vulnerability found, or
introduced into the software you use.
2) There may already be.
3) There may already be zero-day.

When it comes to network design and security, it comes down to one thing:
"There's no substitute for a good job." Sticking to procedure and
industry best practice i.e. patching, DMZs, access control, IDS,
vulnerability assessment, etc.

With that said, I'll end this particular limb of the discussion here.

Cheers,

Hal Flynn
Sun/Linux Focus Area Manager
Securityfocus

"Arbeit macht das Leben süss."



Relevant Pages

  • ENTERCEPT SECURITY ALERT: Privilege Escalation Vulnerability in Microsoft IIS
    ... Subject: ENTERCEPT SECURITY ALERT: Privilege Escalation Vulnerability in Microsoft IIS ... This information is distributed by Entercept Security Technologies to alert ... Entercept Security Technologies’ customers running the Web Server agent are ...
    (Bugtraq)
  • Re: Security?
    ... Which Web server do you know better and feel more comfortable configuring? ... For me Windows is the operating system of choice and so is IIS as Web ...
    (microsoft.public.windows.server.security)
  • Masking server type for IIS 5.0
    ... information to mask the Operating System and Web Server ... type being displayed when externally scanning against IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: Frontpage on XP home
    ... >FrontPage 2003 is the most current version. ... >With XP Home, there is no web server available, so ... WinXP Pro comes with IIS as the ... >> work on this operating system. ...
    (microsoft.public.frontpage.client)
  • [NT] 15 August 2001 Cumulative Patch for IIS
    ... Microsoft has released an important patch for IIS administrators. ... * A denial of service vulnerability that could enable an attacker to ...
    (Securiteam)