Re: "Self defense" Attack scripts

From: Hal Flynn (flynn@securityfocus.com)
Date: 08/14/01


Date: Tue, 14 Aug 2001 00:07:12 -0600 (MDT)
From: Hal Flynn <flynn@securityfocus.com>
To: <focus-linux@securityfocus.com>
Subject: Re: "Self defense" Attack scripts
Message-ID: <Pine.GSO.4.30.0108132352190.2025-100000@mail>


> I'm not going to comment on the legality or advisability of this,
> but IMO anyone running IIS exposed to the internet (behind a FW or not)
> *may* be naive, but they are not "innocent", then have been well and
> true co-opted by the forces of ignorance and stupidity, and morally (not
> legally etc.) they deserve whatever they get.

I normally wouldn't have let this post through, but it brought up a good
point that I wanted to ping on.

For those of you thinking the solution is Apache, or any other web server
OTHER than IIS, you're only lying to yourself.

Granted, IIS has had it's share, and perhaps it's share as well as a few
other web server's shares of ills. However, it's still not the end all be
all solution. Might I remind you all of Ramen, or Lion when it comes to
worms? Perhaps you remember a few of the vulnerabilities in other web
servers, as well as the directory traversal vulnerability in Apache 1.3.17
and previous?

Now for your own enjoyment (and sleepless nights), imagine throwing
something such as a PHP Billboard on the web server, or one of the many
poorly written CGIs. Your scope of vulnerability dramatically increases.

I'm not an OS bigot by any means, and I don't particularly care for one
operating system over the other. I do think every operating system has
it's place. That's a discussion, however, that's outside of the scope of
this list, and best over beverages.

The point is that Linux, or UNIX proper, and Apache, aren't necessarily
the end all be all of security. The granularity of the operating system,
as well as the ability to hack it at will gives users and administrators
greater flexibility and control in designing stable, hardened, and secure
systems. The power is entirely yours, however.

Just remember three things:
1) Eventually, there's going to be a remote vulnerability found, or
introduced into the software you use.
2) There may already be.
3) There may already be zero-day.

When it comes to network design and security, it comes down to one thing:
"There's no substitute for a good job." Sticking to procedure and
industry best practice i.e. patching, DMZs, access control, IDS,
vulnerability assessment, etc.

With that said, I'll end this particular limb of the discussion here.

Cheers,

Hal Flynn
Sun/Linux Focus Area Manager
Securityfocus

"Arbeit macht das Leben süss."